Cryptographic system and computer readable medium

ABSTRACT

A cryptographic system ( 10 ) performs a cryptographic process using a basis. B and a basis B*. An encryption device ( 200 ) generates a ciphertext including a transmission-side vector being a vector in the basis B and being generated using one vector of a first vector consisting of coefficients y j  of a polynomial having x i  as roots and a second vector consisting of v 1   i  being a power of v 1 . A decryption device ( 300 ) decrypts the ciphertext generated by the encryption device ( 200 ) with a decryption key including a reception-side vector being a vector in the basis B* and being generated using the other vector of the first vector and the second vector.

TECHNICAL FIELD

The present invention relates to a functional encryption (FE) scheme.

BACKGROUND ART

Patent Literature 1 describes a functional encryption (FE) scheme.

CITATION LIST Patent Literature

-   Patent Literature 1: JP 2012-133214 A

Non-Patent Literature

-   Non-Patent Literature 1: Attrapadung, N., Libert, B., de Panafieu,    E.: Expressive key-policy attribute-based encryption with    constant-size ciphertexts. In: Catalano et al. [6], pp. 90.108-   Non-Patent Literature 2: Okamoto, T., Takashima, K.: Achieving Short    Ciphertexts or Short Secret-Keys for Adaptively Secure General    Inner-Product Encryption. CANS 2011, LNCS, vol. 7092, pp. 138-159    Springer Heidelberg (2011).-   Non-Patent Literature 3: Okamoto, T Takashima, K.: Decentralized    Attribute-Based Signatures.ePrint http://eprint.iacr.org/2011/701

SUMMARY OF INVENTION Technical Problem

In the functional encryption scheme described in Patent Literature 1, itis necessary to generate a vector constituting a ciphertext or a vectorconstituting a decryption key for each attribute category t. The size ofa ciphertext is large, so that decryption and so on require processingtime.

It is an object of the present invention to reduce the sizes of aciphertext, a decryption key, a signature, and so on.

Solution to Problem

A cryptographic system according to the present invention performs acryptographic process using a basis B and a basis B*, and thecryptographic system includes:

a transmission device to generate a transmission-side vector being avector in the basis B and being generated using one vector of a firstvector consisting of coefficients y_(j) (j=1, . . . , n) of a polynomialhaving attribute information x_(i) (i=1, . . . , n′, n′ being an integerfrom 1 to n−1, n being an integer of 2 or greater) as roots and a secondvector consisting of v₁′ (i=0, . . . , n−1) being a power of predicateinformation v₁; and

a reception device to perform a pairing operation on thetransmission-side vector and a reception-side vector being a vector inthe basis B* and being generated using the other vector of the firstvector and the second vector.

Advantageous Effects of Invention

A cryptographic system according to the present invention can reduce thesizes of a ciphertext, a decryption key, a signature, and so on byproviding special configurations of vectors used to generate atransmission-side vector and a reception-side vector.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an explanatory drawing of a matrix M̂;

FIG. 2 is an explanatory drawing of a matrix M_(δ);

FIG. 3 is an explanatory drawing of s₀;

FIG. 4 is an explanatory drawing of {right arrow over (s)}^(T);

FIG. 5 is a configuration diagram of a cryptographic system 10 thatimplements a KP-ABE scheme according to Embodiment 1;

FIG. 6 is a configuration diagram of a key generation device 100according to Embodiment 1;

FIG. 7 is a configuration diagram of an encryption device 200 accordingto Embodiment 1;

FIG. 8 is a configuration diagram of a decryption device 300 accordingto Embodiment 1;

FIG. 9 is a flowchart illustrating the process of a Setup algorithmaccording to Embodiment 1;

FIG. 10 is a flowchart illustrating the process of a KeyGen algorithmaccording to Embodiment 1;

FIG. 11 is a flowchart illustrating the process of an Enc algorithmaccording to Embodiment 1;

FIG. 12 is a flowchart illustrating the process of a Dec algorithmaccording to Embodiment 1;

FIG. 13 is a configuration diagram of a cryptographic system 10 thatimplements a CP-ABE scheme according to Embodiment 2;

FIG. 14 is a configuration diagram of a key generation device 100according to Embodiment 2;

FIG. 15 is a configuration diagram of an encryption device 200 accordingto Embodiment 2;

FIG. 16 is a flowchart illustrating the process of a KeyGen algorithmaccording to Embodiment 2;

FIG. 17 is a flowchart illustrating the process of an Enc algorithmaccording to Embodiment 2;

FIG. 18 is a configuration diagram of a cryptographic system 10 thatimplements an ABS scheme according to Embodiment 4;

FIG. 19 is a configuration diagram of a key generation device 100according to Embodiment 4;

FIG. 20 is a configuration diagram of a signature device 400 accordingto Embodiment 4;

FIG. 21 is a configuration diagram of a verification device 500according to Embodiment 4;

FIG. 22 is a flowchart illustrating the process of a Setup algorithmaccording to Embodiment 4;

FIG. 23 is a flowchart illustrating the process of a KeyGen algorithmaccording to Embodiment 4;

FIG. 24 is a flowchart illustrating the process of a Sig algorithmaccording to Embodiment 4;

FIG. 25 is a flowchart illustrating the process of a Ver algorithmaccording to Embodiment 4; and

FIG. 26 is a diagram illustrating an example of a hardware configurationof each device of the cryptographic system 10 presented in Embodiments 1to 5.

DESCRIPTION OF EMBODIMENTS Embodiment 1

Notations to be used in the following description will be described.

When A is a random variable or distribution, Formula 101 denotes that yis randomly selected from A according to the distribution of A. That is,y is a random number in Formula 101.

$\begin{matrix}{y\overset{R}{}A} & \left\lbrack {{Formula}\mspace{14mu} 101} \right\rbrack\end{matrix}$

When A is a set, Formula 102 denotes that y is uniformly selected fromA. That is, y is a uniform random number in Formula 102.

$\begin{matrix}{y\overset{U}{}A} & \left\lbrack {{Formula}\mspace{14mu} 102} \right\rbrack\end{matrix}$

Formula 103 denotes that y is set, defined, or substituted by z.

y:=z  [Formula 103]

When a is a fixed value, Formula 104 denotes that a machine (algorithm)A outputs a on input x.

A(x)→a  [Formula 104]

For example,

A(x)→1

Formula 105, namely F_(q), denotes a finite field of order q.

_(q)  [Formula 105]

A vector symbol denotes a vector representation over the finite fieldF_(q), as indicated in Formula 106.{right arrow over (x)} denotes

(x ₁ , . . . ,x _(n))ε_(q) ^(n)

  [Formula 106]

Formula 107 denotes that the inner-product, indicated in Formula 109, oftwo vectors {right arrow over (x)} and {right arrow over (v)} indicatedin Formula 108.

{right arrow over (x)}·{right arrow over (v)}  [Formula 107]

{right arrow over (x)}=(x ₁ , . . . ,x _(n)),

v =(v ₁ , . . . , v _(n))  [Formula 108]

Σ_(i=1) ^(n) x _(i) v _(i)  [Formula 109]

Note that X^(T) denotes the transpose of a matrix X.

For a basis B and a basis B* indicated in Formula 110, Formula 111 isestablished.

:=(b ₁ , . . . ,b _(N)),

*:=(b ₁ *, . . . ,b _(N)*)  [Formula 110]

:=Σ_(i=1) ^(N) x _(i) b _(i),

:=Σ_(i−1) ^(N) y _(i) b _(i)*  [Formula 111]

Note that {right arrow over (e)}_(j) denotes a normal basis vectorindicated in Formula 112.

$\begin{matrix}{{{{{\overset{->}{e}}_{j}\text{:}\mspace{14mu} \left( {\overset{\overset{j - 1}{}}{0\mspace{14mu} \ldots \mspace{14mu} 0},1,\overset{\overset{n - j}{}}{0\mspace{14mu} \ldots \mspace{14mu} 0}} \right)} \in {_{q}^{n}\mspace{14mu} {for}\mspace{14mu} j}} = 1},\ldots \mspace{11mu},n,} & \left\lbrack {{Formula}\mspace{14mu} 112} \right\rbrack\end{matrix}$

In the following description, when Vt, nt, ut, wt, zt, nu, wu, and zuare each represented as a subscript or superscript, these Vt, nt, ut,wt, zt, nu, wu, and zu respectively denote V_(t), u_(t), n_(t), w_(t),z_(t), n_(u), w_(u), and z. Similarly, when δi,j is represented as asuperscript, this δi,j denotes δi,j. Similarly, when φj is representedas a superscript, this φj denotes φj. Similarly, when s0 is representedas a superscript, this s0 denotes so.

When → denoting a vector is attached to a subscript or superscript, itis meant that this → is attached as a superscript to the subscript orsuperscript.

In the following description, a cryptographic process and acryptographic scheme include not only a narrowly-defined cryptographicprocess for keeping information secure from a third party, but alsoinclude a signature process, and include a key generation process, anencryption process, a decryption process, a signature process, and averification process.

In Embodiment 1, a basic concept for implementing a cryptographic schemewill be described, and then a structure of a cryptographic schemeaccording to Embodiment 1 will be described.

First, a space having a rich mathematical structure called “dual pairingvector spaces (DPVS)” which is a space for implementing thecryptographic scheme will be described.

Second, a concept for implementing the cryptographic scheme will bedescribed. Here, a span program, an access structure, and a secretdistribution scheme (secret sharing scheme) will be described.

Third, a basic structure of the cryptographic scheme according toEmbodiment 1 will be described. In Embodiment 1, a key-policyattribute-based encryption (KP-ABE) scheme will be described.

Fourth, a basic configuration of a cryptographic system 10 thatimplements the cryptographic scheme according to Embodiment 1 will bedescribed.

Fifth, a key technique and a simplified cryptographic scheme of thecryptographic scheme according to Embodiment 1 will be described.

Sixth, the cryptographic scheme according to Embodiment 1 will bedescribed in detail.

<1. Dual Pairing Vector Spaces>

First, symmetric bilinear pairing groups will be described.

Symmetric bilinear pairing groups (q, G, G^(T), g, e) are a tuple of aprime q, a cyclic additive group G of order q, a cyclic multiplicativegroup G^(T) of order q, g≠0εG, and a polynomial-time computablenondegenerate bilinear pairing e: G×G→G_(T). The nondegenerate bilinearpairing signifies e(sg, tg)=e(g, g)^(st), and e(g, g)≠1.

In the following description, let G_(bpg) be an algorithm that takes asinput 1^(λ) and outputs values of a parameter param_(G):=(q, G, G_(T),g, e) of bilinear pairing groups with a security parameter λ.

Dual pairing vector spaces will now be described.

Dual pairing vector spaces (q, V, G_(T), A, e) can be constructed by adirect product of the symmetric bilinear pairing groups (param_(G):=(q,G, G_(T), g, e)). The dual pairing vector spaces (q, V, G_(T), A, e) area tuple of a prime q, an N-dimensional vector space V over F_(q)indicated in Formula 113, a cyclic group G_(T) of order q, and acanonical basis A:=(a₁, . . . ,a_(N)) of the space V, and have thefollowing operations (1) and (2), where a_(i) is as indicated in Formula114.

$\begin{matrix}{:=\overset{\overset{N}{}}{ \times \ldots \times }} & \left\lbrack {{Formula}\mspace{14mu} 113} \right\rbrack \\{a_{i}:=\left( {\overset{\overset{i - 1}{}}{0,\ldots \mspace{11mu},0},g,\overset{\overset{N - i}{}}{0,\ldots \mspace{11mu},0}} \right)} & \left\lbrack {{Formula}\mspace{14mu} 114} \right\rbrack\end{matrix}$

Operation (1): Nondegenerate Bilinear Pairing

A pairing in the space V is defined by Formula 115.

e(x,y):=Π_(i−1) ^(N) e(G _(i) ,H _(i))ε

_(T)  [Formula 115]

where

(G ₁ , . . . ,G _(N)):=xε

,

(H ₁ , . . . ,H _(N)):=yε

This is nondegenerate bilinear, that is, e(sx, ty)=e(x, y)^(st) and ife(x, y)=1 for all yεV, then x=0. For all i and j, e(a_(i), a_(j))=e(g,g)^(δi,j), where δ_(i,j)=1 if i=j, and δ_(i,j)=0 if i≠j, and e(g,g)≠1εG_(T).

Operation (2): Distortion Maps

Linear transformations φ_(i,j) on the space V indicated in Formula 116can achieve Formula 117.

If φ_(i,j)(a _(j))=a _(i) and

k≠j, then φ_(i,j)(a _(k))=0.  [Formula 116]

$\begin{matrix}{{{\varphi_{i,j}(x)}:=\left( {\overset{\overset{i - 1}{}}{0,\ldots \mspace{11mu},0},g_{j},\overset{\overset{N - i}{}}{0,\ldots \mspace{11mu},0}} \right)}{{{where}\left( {g_{1},{\ldots \mspace{14mu} g_{N}}} \right)}:=x}} & \left\lbrack {{Formula}\mspace{14mu} 117} \right\rbrack\end{matrix}$

The linear transformations φ_(i,j) will be called distortion maps.

In the following description, let G_(dpvs) be an algorithm that takes asinput 1^(λ) (λε natural number), N E natural number, and values of aparameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups, andoutputs values of a parameter param_(V):=(q, V, G_(T), A, e) of dualpairing vector spaces with a security parameter λ and an N-dimensionalspace V.

Description will be directed herein to a case where the dual pairingvector spaces are constructed using the above-described symmetricbilinear pairing groups. The dual pairing vector spaces can also beconstructed using asymmetric bilinear pairing groups. The followingdescription can easily be adapted to a case where the dual pairingvector spaces are constructed using asymmetric bilinear pairing groups.

<2. Concept for Implementing Cryptographic Scheme>

<2-1. Span Program>

FIG. 1 is an explanatory drawing of a matrix M̂.

Let {p₁, . . . , p_(n)} be a Set of Variables. M̂:=(M, ρ) is a LabeledMatrix. The matrix M is an (L rows×r columns) matrix over F_(q), and ρis a label of columns of the matrix M and is related to one of literals{p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}. A label ρ_(i) (i=1, . . . ,L) of each row of M is related to oneof the literals. That is, ρ: {1, . . . , L}→{p₁, . . . , p_(n),

p₁, . . . ,

P_(n)}.

For every input sequence δ ε{0, 1}^(n), a submatrix M_(δ) of the matrixM is defined. The matrix M_(δ) is a submatrix consisting of those rowsof the matrix M the labels p of which are related to a value “1” by theinput sequence δ. That is, the matrix M_(δ) is a submatrix consisting ofthe rows of the matrix M which are related to p_(i) such that δ_(i)=1and the rows of the matrix M which are related to

p_(i) such that δ_(i)=0.

FIG. 2 is an explanatory drawing of the matrix M_(δ). In FIG. 2, notethat n=7, L=6, and r=5. That is, the set of variables is {p₁, . . . ,p₇}, and the matrix M is a (6 rows×5 columns) matrix. In FIG. 2, assumethat the labels p are related such that ρ₁ is related to

p₂, ρ₂ to p₁, ρ₃ to p₄, ρ₄ to

p₅, ρ₅ to

p₃, and ρ₆ to p₅.

Assume that in an input sequence δ ε{0, 1}⁷, δ₁=1, δ₂=0, δ₃=, δ₄=0,δ₅=0, δ₆=1, and δ₇=1. In this case, a submatrix consisting of the rowsof the matrix M which are related to literals (p₁, p₃, p₆, p₇,

p₂,

p₄,

p₅) surrounded by broken lines is the matrix M_(δ). That is, thesubmatrix consisting of the first row (M₁), second row (M₂), and fourthrow (M₄) of the matrix M is the matrix M_(δ).

In other words, when map γ: {1, . . . , L}→{0, 1} is [ρ(j)=p_(i)]

[δ_(i)=1] or [ρ(j)=

p_(i)]

[δ_(i)=0], then γ(j)=1; otherwise γ(j)=0. In this case,M_(δ):=(M_(j)):=(M_(j))_(γ(j)=1). Note that M_(j) is the j-th row of thematrix M.

That is, in FIG. 2, map γ(j)=1 (j=1, 2, 4), and map γ(j)=0 (j=3, 5, 6).Hence, (M_(j))_(γ(j)=1) is M₁, M₂, and M₄, and is the matrix M_(δ).

More specifically, whether or not the j-th row of the matrix M isincluded in the matrix M_(δ) is determined by whether the value of themap γ(j) is “0” or “1”.

The span program M⨣ accepts an input sequence δ if and only if {rightarrow over (1)}ε span<M_(δ)>, and rejects the input sequence δotherwise. That is, the span program M̂ accepts the input sequence δ ifand only if linear combination of the rows of the matrix M_(δ) which areobtained from the matrix M̂ by the input sequence δ gives {right arrowover (1)}. {right arrow over (1)} is a row vector which has a value “1”in each element.

For example, in an example of FIG. 2, the span program M̂ accepts theinput sequence δ if and only if linear combination of the respectiverows of the matrix M_(δ) consisting of the first, second, and fourthrows of the matrix M gives {right arrow over (1)}. That is, if thereexist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={right arrow over(1)}, the span program M̂ accepts the input sequence δ.

The span program is called monotone if its labels p are related to onlypositive literals {p₁, . . . , p_(n)}. The span program is callednon-monotone if its labels ρ are related to the literals {p₁, . . . ,p_(n),

p₁, . . . ,

p_(n)}. It is assumed herein that the span program is non-monotone. Anaccess structure (non-monotone access structure) is constructed usingthe non-monotone span program. Briefly, an access structure controlsaccess to encryption, that is, it controls whether a ciphertext is to bedecrypted or not.

The span program being non-monotone, instead of being monotone, allowsfor a wider range of applications of the cryptographic schemeconstructed using the span program.

<2-2. Access Structure>

U (⊂{0, 1}*) is a universe and a set of attributes, and U is representedby values of attributes, that is, v εF^(X) _(q) (:=F_(q)\{0}).

It is defined such that the attributes are a variable p in M̂:=(M, ρ).That is, p:=v. The access structure S is a span program M̂:=(M, ρ) withvariables p:=v and p′:=v′, . . . . That is, the access structure S isS:=(M, ρ) with p: {1, . . . , L}→{v, v′, . . . ,

v,

v′, . . . }.

Let Γ be a set of attributes. That is, Γ:={x_(j)|_(1≦j≦n′)}.

When Γ is given to the access structure S, map γ: {1, . . . , L}→{0, 1}for the span program M̂:=(M, ρ) is defined as follows. For each integeri=1, . . . , L, set γ(j)=1 if [ρ(i)=v_(i))]

[v_(i) εΓ] or [ρ(i)=

v_(i)]

[v_(i) εΓ]. Set γ(j)=0 otherwise.

The access structure S:=(M, ρ) accepts Γ if and only if {right arrowover (1)}ε span <(M_(i))_(γ(i)=1)>.

<2-3. Secret Distribution Scheme>

A secret distribution scheme for the access structure S:=(M, ρ) will bedescribed.

The secret distribution scheme is distributing secret information torender it nonsense distributed information. For example, secretinformation s is distributed into 10 pieces to generate 10 pieces ofdistributed information. Each of the 10 pieces of distributedinformation does not have information on the secret information s.Hence, even when one of the pieces of distributed information isobtained, no information can be obtained on the secret information s. Onthe other hand, if all of the 10 pieces of distributed information areobtained, the secret information s can be recovered.

There is another secret distribution scheme according to which thesecret information s can be recovered if some (for example, 8 pieces) ofdistributed information can be obtained, without obtaining all of the 10pieces of distributed information. A case like this where the secretinformation s can be recovered using 8 pieces out of 10 pieces ofdistributed information will be called 8-out-of-10. That is, a casewhere the secret information s can be recovered using t pieces out of npieces of distributed information will be called t-out-of-n. This t willbe called a threshold value.

There is still another secret distribution scheme according to whichwhen 10 pieces of distributed information d₁, . . . , d₁₀ are generated,the secret information s can be recovered with 8 pieces of distributedinformation d₁, . . . , d₈, but the secret information s cannot berecovered with 8 pieces of distributed information d₃, . . . , d₁₀. Inother words, secret distribution schemes include a scheme according towhich whether or not the secret information s can be recovered iscontrolled not only by the number of pieces of distributed informationobtained, but also the combination of distributed information obtained.

FIG. 3 is an explanatory drawing of s₀. FIG. 4 is an explanatory drawingof {right arrow over (s)}^(T).

Let a matrix M be an (L rows×r columns) matrix. Let {right arrow over(f)}^(T) be a column vector indicated in Formula 118.

$\begin{matrix}{{\overset{->}{f}}^{T}:={\left( {f_{1},{\ldots \mspace{14mu} f_{r}}} \right)^{T}\overset{U}{}_{q}^{r}}} & \left\lbrack {{Formula}\mspace{14mu} 118} \right\rbrack\end{matrix}$

Let s₀ indicated in Formula 119 be secret information to be shared.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T):=Σ_(k=1) ^(r) f_(k)  [Formula 119]

Let {right arrow over (s)}^(T) indicated in Formula 120 be a vector of Lpieces of distributed information of s₀.

{right arrow over (s)} ^(T):=(s ₁ , . . . s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 120]

Let the distributed information s_(i) belong to ρ(i).

If the access structure S:=(M, ρ) accepts Γ, that is, if {right arrowover (1)}ε span<(M_(i))_(γ(i)=1)> for γ:{1, . . . , L}→{0, 1}, thenthere exist constants {α_(i) εF_(q)|i εI} such that I⊂{i ε{1, . . .,L}|γ(i)−=1}.

This is obvious from the explanation about the example of FIG. 2 that ifthere exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={right arrowover (1)}, the span program M{right arrow over ( )} accepts the inputsequence δ. That is, if the span program M̂ accepts the input sequence δwhen there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={rightarrow over (1)}, then there exist α₁, α₂, and α₄ with whichα₁(M₁)+α₂(M₂)+α₄(M₄)={right arrow over (1)}.

Note Formula 121.

Σ_(iεl)α_(i) s _(i) :=s ₀  [Formula 121]

Note that constants {α_(i)} are computable in time polynomial in thesize of the matrix M.

<3. Basic Structure of Cryptographic Scheme (KP-ABE Scheme)>

The structure of the KP-ABE scheme will be briefly described. Note thatKP (key policy) means that a policy, namely an access structure, isembedded in a ciphertext.

The KP-ABE scheme includes four algorithms: Setup, KeyGen, Enc, and Dec.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input asecurity parameter λ and an upper limit n for the number of attributesfor a ciphertext, and outputs a public parameter pk and a master key sk.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input thepublic parameter pk, the master key sk, and an access structure S:=(M,ρ), and outputs a decryption key sk_(S).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input thepublic parameter pk, a message m, and an attribute setΓ:={x_(j)}_(1≦j≦n′), and outputs a ciphertext ct_(Γ).

(Dec)

A Dec algorithm is an algorithm that takes as input the public parameterpk, the decryption key sk_(S), and the ciphertext ct_(Γ), and outputsthe message m or a distinguished symbol ⊥.

<4. Basic Configuration of Cryptographic System 10>

The cryptographic system 10 that implements the algorithms of the KP-ABEscheme will be described.

FIG. 5 is a configuration diagram of the cryptographic system 10 thatimplements the KP-ABE scheme according to Embodiment 1.

The cryptographic system 10 includes a key generation device 100, anencryption device 200 (an example of a transmission device), and adecryption device 300 (an example of a reception device).

The key generation device 100 executes the Setup algorithm taking asinput a security parameter λ and an upper limit n for the number ofattributes for a ciphertext, and thereby generates a public parameter pkand a master key sk.

Then, the key generation device 100 publishes the public parameter pk.The key generation device 100 also executes the KG algorithm taking asinput an access structure S, and thereby generates a decryption keysk_(S), and transmits the decryption key sk_(S) to the decryption device300 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input thepublic parameter pk, a message m, and an attribute set Γ, and therebygenerates a ciphertext ct_(Γ). The encryption device 200 transmits theciphertext ct_(Γ) to the decryption device 300.

The decryption device 300 executes the Dec algorithm taking as input thepublic parameter pk, the decryption key sk_(S), and the ciphertextct_(Γ), and outputs the message m or a distinguished symbol ⊥.

<5. Key Technique and Simplified Cryptographic Scheme>

<5-1. Encoding>

In the functional encryption scheme described in Patent Literature 1, anidentifier t is assigned to each attribute category, and a vector whichis an element of a ciphertext (or a decryption key) is generated foreach identifier t.

In Embodiment 1, a method for encoding attribute information isspecially devised such that the identifier t for an attribute categoryis eliminated and one vector is used as an element of a ciphertext.

In Embodiment 1, a vector (one vector) which is an element of aciphertext is generated such that each element of a vector {right arrowover (y)}:=(y₁, . . . , y_(n)) (first vector) consisting of coefficientsy_(j) of a polynomial having attribute information x_(i) as roots is setas the coefficient of each basis vector of a basis B. That is, a vectorwhich is an element of a ciphertext is generated such that the vector{right arrow over (y)}:=(y₁, . . . , y_(n)) being f(z)=(z-x₁)(z-x₂) . .. (z-x_(n))=y₁z^(n)+ . . . +y_(n-1)z+y_(n) is set as the coefficient ofeach basis vector of the basis B.

A vector (one or more vectors) which is an element of a decryption keyis generated such that a vector {right arrow over (v)}_(i):=(v_(i)^(n-1), . . . , v_(i), 1) (second vector) consisting of v_(i) ^(j) beinga power of v_(i) is set as the coefficient of each basis vector of abasis B*, for each integer i=1, . . . , L.

With this arrangement, it is possible to control such that when apairing operation is performed on the vector which is the element of theciphertext and the vector which is the element of the decryption key,v_(i) is assigned to f(z), and if v_(i) is equal to any of x₁, . . .,x_(n), then f(v_(i))=0, and if v_(i) is not equal to any of x₁, . . .,x_(n), then f(v_(i))≠0.

<5-2. Sparse Matrix>

In the functional encryption scheme described in Patent Literature 1, abasis B and a basis B* being a pair of dual bases are generated. Thebasis B and the basis B* are generated using a fully random lineartransformation X (change-of-basis matrix) uniformly selected from GL(N,F_(q)). In particular, the basis B and the basis B* are generated bytransforming a canonical basis A by linear transformations X and(X⁻¹)^(T), respectively. Note that N denotes the number of dimensions ofspan<B> and span<B>.

In a typical application in which dual pairing vector spaces are appliedto a cryptographic process, a part of the basis B (to be referred to asB̂) is used as a public parameter, and the corresponding part of thebasis B* (to be referred to as B̂*) is used as a trapdoor.

In Embodiment 1, a special form of the random linear transformation Xbeing XεGL(N, F_(q)) (a sparse matrix) is employed, in place of thefully random linear transformation X described above.

<5-3. Simplified Cryptographic Scheme>

A simplified KP-ABE scheme will be described.

A ciphertext in the simplified KP-ABE scheme consists of two vectorelements (c₀, c₁)εG⁵×G^(n) as well as c₃εG_(T). A secret key consists ofthe L+1 number of vector elements (k*₀, k*₁, . . . ,k*_(L) εG⁵×(G^(n))^(L)) for an access structure S:=(M, ρ), where L denotes thenumber of rows in a matrix M and each vector element k*_(i) correspondsto each row of the matrix M. Note that (c₀, c₁)εG⁵×G^(n) signifies thatc₀ is five elements of G, and c₁ is the n number of elements of G.Similarly, (k*₀, k*₁, . . . ,k*_(L) εG⁵×(G^(n))^(L) signifies that k*₀is five elements of G, and k*₁, . . . ,k*_(L) are the n number ofelements of G.

Therefore, to achieve constant-size ciphertexts, it is necessary tocompress c₁εG^(n) to a constant size in n.

In Embodiment 1, a special linear transformation X indicated in Formula122 is employed.

$\begin{matrix}{X:={\begin{pmatrix}\mu & \; & \; & \mu_{1}^{\prime} \\\; & \ddots & \; & \vdots \\\; & \; & \mu & \mu_{n - 1}^{\prime} \\\; & \; & \; & \mu_{n}^{\prime}\end{pmatrix} \in {\mathcal{H}\left( {n,_{q}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 122} \right\rbrack\end{matrix}$

Note that μ, μ′₁, . . . ,μ′_(n) are values uniformly selected from afinite field F_(q), and a blank in the linear transformation X denotes0εF_(q). Note also that H(n, F_(q)) signifies a set of n-dimensionalmatrices having the finite field F_(q) as elements.

A public key (basis in DPVS) is a basis B indicated in Formula 123.

$\begin{matrix}{:={\begin{pmatrix}b_{1} \\\vdots \\\; \\b_{n}\end{pmatrix}:=\begin{pmatrix}{\mu \; g} & \; & \; & {\mu_{1}^{\prime}g} \\\; & \ddots & \; & \vdots \\\; & \; & {\mu \; g} & {\mu_{n - 1}^{\prime}g} \\\; & \; & \; & {\mu_{n}^{\prime}g}\end{pmatrix}}} & \left\lbrack {{Formula}\mspace{14mu} 123} \right\rbrack\end{matrix}$

Let a ciphertext associated with an attribute set Γ:=(x₁, . . . ,x_(n′))be a ciphertext c₁ indicated in Formula 123.

c ₁:=(ω{right arrow over (y)})

=ω(y ₁ b ₁ + . . . +y _(n) b _(n))=(y ₁ ωμg, . . . , y _(n-1)ωμg,ω(Σ_(i=1) ^(n) y _(i)μ_(i)′)g)  [Formula 123]

Note that ω is a value uniformly selected from the finite field F_(q),and {right arrow over (y)}:=(y₁, . . . , y_(n)) is a vector indicated inFormula 124.

Σ_(j=0) ^(n-1) y _(n-j) z ^(j) =z ^(n-1-n′)·Π_(j=1) ^(n′)(z−x_(j))  [Formula 124]

Then, the ciphertext c₁ can be compressed to two group elements C₁ andC₂ indicated in Formula 125 and the vector {right arrow over (y)}.

C ₁ :=ωμg,

C ₂:=ω(Σ_(i=1) ^(n) y _(i)μ_(i)′)g[Formula 103]

This is because the ciphertext c₁ is obtained by (y₁C₁, . . . ,y_(n-1)C₁, C₂). Note that y_(i)C₁=y_(i)ωμg for each i=1, . . . , n−1.

Therefore, the ciphertext (excluding the vector {right arrow over (y)})can be two group elements, and the size is constant in n.

Let B*:=(b*_(i)) be the dual orthonormal basis of B:=(b_(i)), and letthe basis B* be a master secret key in the simplified KP-ABE scheme.

(c₀, k*₀, c₃) is specified such that e(c₀, k*₀)=g_(T) ^(ζ-ωs0) andc₃:=g_(T) ^(ζ)mεG_(T). Note that s0(s₀) is a center secret of sharedinformation {s_(i)}_(i=1, . . . , L) associated with the accessstructure S.

Using the shared information {s_(i)}_(i=1, . . . , L), a set of secretkeys for the access structure S is set as indicated in Formula 126.

$\begin{matrix}{{{k_{i}^{*}:={{\left( {{s_{i}{\overset{\rightarrow}{e}}_{1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}} \right)_{^{*}}\mspace{14mu} {if}\mspace{14mu} {\rho (i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},{k_{i}^{*}:={{\left( {s_{i}{\overset{\rightarrow}{v}}_{i}} \right)_{^{*}}\mspace{14mu} {if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}}}}{where}{{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots \mspace{14mu},v_{i},1} \right)},{\theta_{i}\overset{U}{\leftarrow}_{q}}}} & \left\lbrack {{Formula}\mspace{14mu} 126} \right\rbrack\end{matrix}$

From the dual orthonormality of the basis B and the basis B*, if theaccess structure S accepts the attribute set Γ, there exists acomplementary coefficients {α_(i)}_(iεI) such that Formula 127 issatisfied.

$\begin{matrix}{{{e\left( {c_{1},{\overset{\sim}{k}}^{*}} \right)} = g_{T}^{\omega \; s_{0}}}{where}{{\overset{\sim}{k}}^{*}:={{\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = v_{i}}\; {\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {v_{i}}}{{\alpha_{i}\left( {\overset{\rightarrow}{y} \cdot {\overset{\rightarrow}{v}}_{i}} \right)}^{- 1}k_{i}^{*}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 127} \right\rbrack\end{matrix}$

Hence, a decryptor can compute g_(T) ^(ωs0) and obtain a message m ifand only if the access structure S accepts the attribute set Γ.

The ciphertext c₁ is represented as (y₁C₁, . . . , y_(n-1)C₁, C₂)εG^(n),and a secret key k^(˜*) is parsed as n-tuple (D*₁, . . . ,D*_(n)). Thus,the value of e(c₁, k^(˜*)) is as indicated in Formula 128.

$\begin{matrix}{{\prod_{i = 1}^{n - 1}{{{e\left( {{y_{i}C_{1}},D_{i}^{*}} \right)} \cdot e}\left( {C_{2},D_{n}^{*}} \right)}} = {{\prod_{i = 1}^{n - 1}{{e\left( {C_{1},{y_{i}D_{i}^{*}}} \right)} \cdot {e\left( {C_{2},D_{n}^{*}} \right)}}} = {{e\left( {C_{1},{\sum_{i = 1}^{n - 1}{y_{i}D_{i}^{*}}}} \right)} \cdot {e\left( {C_{2},D_{n}^{*}} \right)}}}} & \left\lbrack {{Formula}\mspace{14mu} 128} \right\rbrack\end{matrix}$

That is, the n−1 number of scalar multiplications in G and two pairingoperations are enough for computing e(c₁, k^(˜*)). This means that onlya small (constant) number of pairing operations are required fordecryption. Generally, a pairing operation is an operation whichrequires processing time. Therefore, by reducing the number of pairingoperations, the processing time for the entirety of processing can beshortened.

In the simplified KP-ABE scheme, the ciphertext c₁ has only the basisvector in which the vector {right arrow over (y)} is set (real encodingpart), and the secret key k*₁ has only the basis vector in which thevector {right arrow over (v)} is set (real encoding part).

In the KP-ABE scheme to be described below, in order to enhancesecurity, a hidden part, a secret key randomness part, and a ciphertextrandomness part are added to the ciphertext c₁ and the secret key k*₁ inaddition to the real encoding part.

Therefore, the linear transformation X is expanded six-fold, asindicated in Formula 129. Then, the real encoding part, the hidden part,the secret key randomness part, and the ciphertext randomness part areassigned n, 2n, 2, and n dimensions, respectively.

$\begin{matrix}{X:=\begin{pmatrix}X_{1,1} & \ldots & X_{1,6} \\\vdots & \; & \vdots \\X_{6,1} & \ldots & X_{6,6}\end{pmatrix}} & \left\lbrack {{Formula}\mspace{14mu} 129} \right\rbrack\end{matrix}$

Note that each X_(i,j) is XεH(n, F_(q)) indicated in Formula 122. Thevector space consists of four orthogonal subspaces. That is, the vectorspace consists of four orthogonal subspaces for the encoding part, thehidden part, the secret key randomness part, and the ciphertextrandomness part.

<6. Cryptographic Scheme>

FIG. 6 is a configuration diagram of the key generation device 100according to Embodiment 1. FIG. 7 is a configuration diagram of theencryption device 200 according to Embodiment 1. FIG. 8 is aconfiguration diagram of the decryption device 300 according toEmbodiment 1.

FIG. 9 and FIG. 10 are flowcharts illustrating the operation of the keygeneration device 100 according to Embodiment 1. FIG. 9 is a flowchartillustrating the process of the Setup algorithm according to Embodiment1, and FIG. 10 is a flowchart illustrating the process of the KeyGenalgorithm according to Embodiment 1. FIG. 11 is a flowchart illustratingthe operation of the encryption device 200 according to Embodiment 1 andillustrating the process of the Enc algorithm according to Embodiment 1.FIG. 12 is a flowchart illustrating the operation of the decryptiondevice 300 according to Embodiment 1 and illustrating the process of theDec algorithm according to Embodiment 1.

The function and operation of the key generation device 100 will bedescribed.

As illustrated in FIG. 6, the key generation device 100 includes amaster key generation part 110, a master key storage part 120, aninformation input part 130, a decryption key generation part 140, and akey transmission part 150. The master key generation part 110 includes aspace generation part 111, a matrix generation part 112, a basisgeneration part 113, and a key generation part 114. The decryption keygeneration part 140 includes an f vector generation part 141, an svector generation part 142, a random number generation part 143, and akey element generation part 144.

With reference to FIG. 9, the process of the Setup algorithm will bedescribed.

(S101: Space Generation Step)

With a processing device, the space generation part 111 executes G_(bpg)taking as input a security parameter 1^(λ), and thereby generates aparameter param_(G):=(q, G, G_(T), g, e) of symmetric bilinear pairinggroups.

Further, the space generation part 111 sets N₀:=5 and N₁:=6n. Then, withthe processing device and for each integer t=0, 1, the space generationpart 111 executes G_(dpvs) taking as input the security parameter 1^(λ),N_(t), and the parameter param_(G) of the symmetric bilinear pairinggroups, and thereby generates a parameter param_(Vt):=(q, V_(t), G_(T),A, e) of dual pairing vector spaces.

(S102: Linear Transformation Generation Step)

With the processing device, the matrix generation part 112 generates alinear transformation X₀, as indicated in Formula 130.

$\begin{matrix}{X_{0}:={\left( \chi_{0,i,j} \right)_{i,{j = 1},\ldots \mspace{14mu},5}\overset{U}{\leftarrow}{{GL}\left( {N_{0},_{q}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 130} \right\rbrack\end{matrix}$

Note that (χ_(0,i,j))_(i,j=1, . . . ,5) in Formula 130 signifies amatrix concerning the suffixes i and j of the matrix χ_(0,i,j).

With the processing device, the matrix generation part 112 alsogenerates a linear transformation X₁, as indicated in Formula 131.

$\begin{matrix}{X_{1}\overset{U}{\leftarrow}{\mathcal{L}\left( {6,n,_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 131} \right\rbrack\end{matrix}$

Note that L(6, n, F_(q)) in Formula 131 is as indicated in Formula 132.

$\begin{matrix}{{\mathcal{L}\left( {w,n,_{q}} \right)}:=\left\{ {{X:={{\begin{pmatrix}X_{1,1} & \ldots & X_{1,w} \\\vdots & \; & \vdots \\X_{w,1} & \ldots & X_{w,w}\end{pmatrix}X_{i,j}}:={\left. \quad{\begin{pmatrix}\mu_{i,j} & \; & \; & \mu_{i,j,1}^{\prime} \\\; & \ddots & \; & \vdots \\\; & \; & \mu_{i,j} & \mu_{i,j,{n - 1}}^{\prime} \\\; & \; & \; & \mu_{i,j,n}^{\prime}\end{pmatrix}\begin{matrix}{\in {\mathcal{H}\left( {,_{q}} \right)}} \\{{{for}\mspace{14mu} i},{j =}} \\{1,\ldots \mspace{14mu},w}\end{matrix}} \right\}\bigcap{{GL}\left( {{wn},_{q}} \right)}}}},{{\mathcal{H}\left( {n,_{q}} \right)}:=\left\{ {\begin{pmatrix}u & \; & \; & u_{1}^{\prime} \\\; & \ddots & \; & \vdots \\\; & \; & u & {\; u_{n - 1}^{\prime}} \\\; & \; & \; & u_{n}^{\prime}\end{pmatrix}\begin{matrix}{u,{u_{L}^{\prime} \in _{q}},{{{for}\mspace{14mu} L} = 1},\ldots \mspace{14mu},n,} \\{a\mspace{14mu} {blank}\mspace{14mu} {element}\mspace{14mu} {in}\mspace{14mu} {the}\mspace{20mu} {matrix}} \\{{{denotes}\mspace{14mu} 0} \in _{q}}\end{matrix}} \right\}}} \right.} & \left\lbrack {{Formula}\mspace{14mu} 132} \right\rbrack\end{matrix}$

In the following, {μ_(i,j), μ_(i,j,L)}_(i,j=1, . . . ,6; L=1, . . . , n)denotes non-zero elements in the linear transformation X₁.

(S103: Basis B Generation Step)

With the processing device, the basis generation part 113 generates abasis B₀, a variable B_(i,j), and a variable B′_(i,j,L), as indicated inFormula 133.

b _(0,i):=(χ_(0,i,1), . . . ,χ_(0,i,5)

=Σ_(j=1) ⁵χ_(0,i,j) a _(j) for i=1, . . . ,5,

₀:=(b _(0,1) , . . . ,b _(0,5)),

B _(i,j):=μ_(i,j) g,B _(i,j,L)′:=μ_(i,j,L) ′g for i,j=1, . . . ,6; L=1,. . . ,n  [Formula 133]

With the processing device, the basis generation part 113 also generatesa basis B*₀ and a basis B*₁, as indicated in Formula 134.

for t=0,1,

(θ_(t,i,j))_(i,j=1, . . . ,N) _(t) :=ψ·(X _(t) ^(T))⁻¹,

b _(t,i)*:=(θ_(t,i,1), . . . ,θ_(t,i,N) _(t)

=Σ_(j=1) ^(N) ^(t) θ_(t,i,j) a _(j) for i=1, . . . ,N _(t),

_(t)*:=(b _(t,1) *, . . . ,b _(t,N) _(t) *)  [Formula 134]

(S104: Basis B̂ Generation Step)

With the processing device, the key generation part 114 generates abasis B{right arrow over ( )}₀, a basis B̂₁, a basis B̂*₀, and a basisB̂*₁, as indicated in Formula 135.

B ₀:=(b _(0,1) ,b _(0,3) ,b _(0,5)),

:=(b _(1,1) , . . . ,b _(1,n) , b _(1,5n+1) , . . . ,b _(1,6n))={B_(i,j) ,B _(i,j,L)′}_(i=1,6; j=1, . . . ,6; L=1, . . . , n),

₀*:=(b _(0,1) *,b _(0,3) *b _(0,4)),

₁*:=(b _(1,1) * . . . ,b _(1,n) *, b _(1,3n+1) *, . . . ,b_(1,5n)*)  [Formula 135]

(S105: Master Key Generation Step)

With the processing device, the key generation part 114 generates apublic parameter pk:=(1^(λ), param_(n), {B̂_(t)}_(t=0,1)) and a mastersecret key sk:={B̂*_(t)}_(t=0,1). Then, the key generation part 114stores the public parameter pk and the master secret key sk in themaster key storage part 120.

Note that param_(n):=({param_(Vt)}_(t=0,1), g_(T):=e(g, g)^(φ)).

In brief, in (S101) through (S105), the key generation device 100generates the public parameter pk and the master secret key sk byexecuting the Setup algorithm indicated in Formula 137, the Setupalgorithm using an algorithm G^(ABE(1)) _(ob) indicated in Formula 136.

$\begin{matrix}{\mspace{79mu} {{{_{ob}^{{ABE}{(1)}}\left( {1^{\lambda},6,n} \right)}\text{:}}\mspace{20mu} {{{param}_{}:={\left( {q,,_{T},g,e} \right)\overset{R}{\leftarrow}{_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu} {N_{0}:=5},{N_{1}:={6n}},{{param}_{_{t}}:={\left( {q,_{t},_{T},,e} \right):={{{_{dpvs}\left( {1^{\lambda},N_{t},{param}_{}} \right)}\mspace{14mu} {for}\mspace{14mu} t} = 0}}},1,{\psi \overset{U}{\leftarrow}_{q}^{\times}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},{{param}_{n}:=\left( {\left\{ {param}_{_{T}} \right\}_{{t = 0},1},g_{T}} \right)},{X_{0}:={\left( \chi_{0,i,j} \right)_{i,{j = 1},\ldots \mspace{14mu},5}\overset{U}{\leftarrow}{{GL}\left( {N_{0},_{q}} \right)}}},{X_{1}\overset{U}{\leftarrow}{\mathcal{L}\left( {6,n,_{q}} \right)}},\mspace{20mu} {hereafter}}{{\left\{ {\mu_{i,j},\mu_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots \mspace{14mu},{6;{L = 1}},\ldots \mspace{14mu},n}\mspace{14mu} {denotes}\mspace{14mu} {non}\text{-}{zero}\mspace{14mu} {entries}\mspace{14mu} {of}\mspace{14mu} X_{1}},\mspace{20mu} {b_{0,i}:={\left( {\chi_{0,i,1,\ldots \mspace{14mu},}\chi_{0,i,5}} \right)_{} = {\sum_{j = 1}^{5}{\chi_{0,i,j}a_{j}}}}}}\mspace{20mu} {{{{for}\mspace{14mu} i} = 1},{\ldots \; b}\mspace{11mu},5,{_{0}:=\left( {b_{0,1},\ldots \mspace{14mu},b_{0,5}} \right)},\mspace{20mu} {B_{i.j}:={\mu_{i,j}g}},{B_{i,j,L}^{\prime}:={\mu_{i,j,L}^{\prime}g}}}\mspace{14mu} \mspace{20mu} {{{for}\mspace{14mu} i},{j = 1},\ldots \mspace{14mu},{6;{L = 1}},\ldots \mspace{14mu},n}\mspace{20mu} {{{{for}\mspace{14mu} t} = 0},{{1\mspace{14mu} \left( \vartheta_{t,i,j} \right)_{i,{j = 1},\ldots \mspace{14mu},N_{t}}}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}},\mspace{20mu} {b_{t,i}^{*}:={\left( {\vartheta_{t,i,1,\ldots \mspace{14mu},}\vartheta_{t,i,N_{t}}} \right)_{} = {\sum_{j = 1}^{N_{t}}{\vartheta_{t,i,j}a_{j}}}}}}\mspace{20mu} {{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},N_{t},{_{t}^{*}:=\left( {b_{t,1}^{*},\ldots \mspace{14mu},b_{t,N_{t}}^{*}} \right)},{{return}\mspace{14mu} {\left( {{param}_{n},_{0},_{0}^{*},\left\{ {B_{i,j},B_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots \mspace{14mu},{6;{L = 1}},\ldots \mspace{14mu},n},_{1}^{*}} \right).}}}}} & \left\lbrack {{Formula}\mspace{14mu} 136} \right\rbrack \\{\mspace{40mu} {{{Setup}\left( {1^{\lambda},n} \right)\text{:}}{{\left( {{param}_{n},_{0},_{0}^{*},\left\{ {B_{i,j},B_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots \mspace{14mu},{6;{L = 1}},{\ldots \mspace{14mu} n}},_{1}^{*}} \right)\overset{R}{\leftarrow}{_{ob}^{{ABE}{(1)}}\left( {1^{\lambda},6,n} \right)}},\mspace{20mu} {{\hat{}}_{0}:=\left( {b_{0,1},b_{0,3},b_{0,5}} \right)},{{\hat{}}_{1}:={\left( {b_{1,1},\ldots \mspace{14mu},b_{1,n},b_{1,{{5n} + 1}},\ldots \mspace{14mu},b_{1,{6n}}} \right) = \left\{ {B_{i,j},B_{i,j,L}^{\prime}} \right\}_{{i = 1},{6;{j = 1}},\ldots \mspace{14mu},{6;{L = 1}},\ldots \mspace{14mu},n}}},\mspace{20mu} {{\hat{}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,4}^{*}} \right)},\mspace{20mu} {{\hat{}}_{1}^{*}:=\left( {{b_{1,1,\ldots \mspace{14mu},}^{*}b_{1,n}^{*}},{b_{1,{{3n} + 1},\ldots \mspace{14mu},}^{*}b_{1,{5n}}^{*}}} \right)},\mspace{20mu} {{pk}:=\left( {1^{\lambda},{param}_{n},\left\{ {\hat{}}_{t} \right\}_{{t = 0},1}} \right)},{{sk}:=\left\{ {\hat{}}_{t}^{*} \right\}_{{t = 0},1}},\mspace{20mu} {{return}\mspace{14mu} {pk}},{sk}}}} & \left\lbrack {{Formula}\mspace{14mu} 137} \right\rbrack\end{matrix}$

The public parameter is published, for example, via a network, and ismade available for the encryption device 200 and the decryption device300.

In S103, instead of generating a basis B₁, the variable B_(i,j) isgenerated. If the basis B₁ is to be generated, it is as indicated inFormula 138.

$\begin{matrix}{{\begin{pmatrix}b_{1,{{{({i - 1})}n} + 1}} \\\vdots \\b_{1,{in}}\end{pmatrix}:=\begin{pmatrix}B_{i,1} & \; & \; & B_{i,1,1}^{\prime} & \; & B_{i,6} & \; & \; & B_{i,6,1}^{\prime} \\\; & \ddots & \; & \vdots & \ldots & \; & \ddots & \; & \vdots \\\; & \; & B_{i,1} & B_{i,1,{n - 1}}^{\prime} & \; & \; & \; & B_{i,6} & B_{i,6,{n - 1}}^{\prime} \\\; & \; & \; & {B_{i,1,n}^{\prime}\;} & \; & \; & \; & \; & B_{i,6,n}^{\prime}\end{pmatrix}}\mspace{20mu} {{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},6,\mspace{20mu} {_{1}:=\left( {b_{1,1,},\ldots \mspace{14mu},b_{1,{6n}}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 138} \right\rbrack\end{matrix}$

A blank portion in the matrix of Formula 138 denotes that the value ofthe element is 0εG. The basis B₁ is the orthonormal basis of the basisB*₁. That is, e(b_(1,i), b*_(1,i))=g_(T), and e(b_(1,i),b*_(1,j))=1 forintegers i and j of 1≦i≠j≦6n.

With reference to FIG. 10, the process of the KeyGen algorithm will bedescribed.

(S201: Information Input Step)

With an input device, the information input part 130 takes as input anaccess structure S:=(M, ρ). Note that the matrix M of the accessstructure S is to be set according to the conditions of a system to beimplemented. Note also that attribute information of a user of adecryption key sk_(S) is set in p of the access structure S, forexample.

(S202: f Vector Generation Step)

With the processing device, the f vector generation part 141 randomlygenerates a vector {right arrow over (f)}, as indicated in Formula 139.

$\begin{matrix}{\overset{\rightarrow}{f}\overset{U}{\leftarrow}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 139} \right\rbrack\end{matrix}$

(S203: s Vector Generation Step)

With the processing device, the s vector generation part 142 generates avector {right arrow over (s)}^(T):=(s₁, . . . ,s_(L))^(T), as indicatedin Formula 140.

{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 140]

With the processing device, the s vector generation part 142 alsogenerates a value so, as indicated in Formula 141.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 141]

(S204: Random Number Generation Step)

With the processing device, the random number generation part 143generates random numbers, as indicated in Formula 142.

$\begin{matrix}{{\eta_{0}\overset{U}{\leftarrow}_{q}},{{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{\leftarrow}{_{q}^{2n}\mspace{14mu} {for}\mspace{14mu} i}} = 1},\ldots \mspace{14mu},L,{{\theta_{i}\overset{U}{\leftarrow}{_{q}\mspace{14mu} {for}\mspace{14mu} i}} = 1},\ldots \mspace{14mu},L} & \left\lbrack {{Formula}\mspace{14mu} 142} \right\rbrack\end{matrix}$

(S205: Key Element Generation Step)

With the processing device, the key element generation part 144generates an element k*₀ of the decryption key sk_(S), as indicated inFormula 143.

k ₀*:=(−s ₀,0,1,η₀,0

  [Formula 143]

With the processing device, the key element generation part 144 alsogenerates an element k*_(i) of the decryption key sk_(S) for eachinteger i=1, . . . , L, as indicated in Formula 144.

$\begin{matrix}{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots \mspace{14mu},v_{i},1} \right)},{{{if}\mspace{14mu} {\rho (i)}} = v_{i}},{k_{i}^{*}:=\left( {\overset{\overset{n}{}}{{{s_{i}{\overset{\rightarrow}{e}}_{1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},}\mspace{11mu} \overset{\overset{2n}{}}{0^{2n},}\mspace{11mu} \overset{\overset{2n}{}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{11mu} \overset{\overset{n}{}}{0^{n}}} \right)_{_{1}^{*}}},{{{if}\mspace{14mu} {\rho (i)}} = {v_{i}}},{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},}\mspace{11mu} \overset{\overset{2n}{}}{0^{2n},}\mspace{11mu} \overset{\overset{2n}{}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu} \overset{\overset{n}{}}{0^{n}}} \right)_{_{1}^{*}}}} & \left\lbrack {{Formula}\mspace{14mu} 144} \right\rbrack\end{matrix}$

(S206: Key Transmission Step)

With a communication device and via the network, for example, the keytransmission part 150 transmits the decryption key sk_(S) having, aselements, the access structure S inputted in (S201) and k*₀, k*₁, . . .,and k*_(L) generated in (S205) to the decryption device 300 in secrecy.As a matter of course, the decryption key sk_(S) may be transmitted tothe decryption device 300 by another method.

In brief, in (S201) through (S205), the key generation device 100generates the decryption key sk_(S) by executing the KeyGen algorithmindicated in Formula 145. In (S206), the key generation device 100transmits the generated decryption key sk_(S) to the decryption device300.

$\begin{matrix}{{{{KeyGen}\left( {{pk},{sk},{ = \left( {M,\rho} \right)}} \right)}\text{:}}{{\overset{\rightarrow}{f}\overset{U}{\leftarrow}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots \mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},{\eta_{0}\overset{U}{\leftarrow}_{q}},{k_{0}^{*}:=\left( {{- s_{0}},0,1,\eta_{0},0} \right)_{_{0}^{*}}},{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots \mspace{14mu},v_{i},1} \right)},{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{\leftarrow}_{q}^{2n}}}{{{{if}\mspace{14mu} {\rho (i)}} = {v_{i} \in _{q}^{\times}}},{\theta_{i}\overset{U}{\leftarrow}_{q}},{k_{i}^{*}:=\left( {\overset{\overset{n}{}}{{{s_{i}{\overset{\rightarrow}{e}}_{1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},}\mspace{11mu} \overset{\overset{2n}{}}{0^{2n},}\mspace{11mu} \overset{\overset{2n}{}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{11mu} \overset{\overset{n}{}}{0^{n}}} \right)_{_{1}^{*}}},{{{if}\mspace{14mu} \rho (i)} = {v_{i}}},{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},}\mspace{11mu} \overset{\overset{2n}{}}{0^{2n},}\mspace{11mu} \overset{\overset{2n}{}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu} \overset{\overset{n}{}}{0^{n}}} \right)_{_{1}^{*}}}}{{sk}_{}:=\left( {,k_{0}^{*},k_{1}^{*},\ldots \mspace{14mu},k_{L}^{*}} \right)}{{return}\mspace{14mu} {{sk}_{}.}}} & \left\lbrack {{Formula}\mspace{14mu} 145} \right\rbrack\end{matrix}$

The function and operation of the encryption device 200 will bedescribed.

As illustrated in FIG. 7, the encryption device 200 includes a publicparameter receiving part 210, an information input part 220, anencrypted data generation part 230, and a data transmission part 240.The encrypted data generation part 230 includes a random numbergeneration part 231 and a cipher element generation part 232.

With reference to FIG. 11, the process of the Enc algorithm will bedescribed.

(S301: Public Parameter Receiving Step)

With the communication device and via the network, for example, thepublic parameter receiving part 210 receives the public parameter pkgenerated by the key generation device 100.

(S302: Information Input Step)

With the input device, the information input part 220 takes as input amessage m to be transmitted to the decryption device 300. With the inputdevice, the information input part 220 also takes as input an attributeset Γ:={x₁, . . . ,x_(n)′|x_(j)εF_(q) ^(X), n′≦n−1}. Note that attributeinformation of a user capable of decryption is set in the attribute setΓ, for example.

(S303: Random Number Generation Step)

With the processing device, the random number generation part 231generates random numbers, as indicated in Formula 146.

$\begin{matrix}{\omega,\phi_{0},\phi_{1},{\zeta \overset{U}{\leftarrow}_{q}}} & \left\lbrack {{For}\; {mula}\mspace{14mu} 146} \right\rbrack\end{matrix}$

(S304: Cipher Element Generation Step)

With the processing device, the cipher element generation part 232generates an element c₀ of a ciphertext ct_(Γ), as indicated in Formula147.

c ₀:=(ω,0,ζ,0,φ₀

  [Formula 147]

With the processing device, the cipher element generation part 232 alsogenerates elements C_(1,j) and C_(2,j) of the ciphertext ct_(Γ), asindicated in Formula 148.

for j=1, . . . ,6

C _(1,j) :=ωB _(1,j)+η₁ B _(6,j),

C _(2,j):=Σ_(L=1) ^(n) y _(L)(ωB _(1,j,L)′+φ₁ B _(6,j,L)′)  [Formula148]

where

{right arrow over (y)}:=(y ₁ , . . . , y _(n)) such that Σ_(j=0) ^(n-1)y _(n-j) z _(j) =z ^(n-1-n′)·Π_(j=1) ^(n′)(z−x _(j))

With the processing device, the cipher element generation part 232 alsogenerates an element c₃ of the ciphertext ct_(Γ), as indicated inFormula 149.

c ₃ :=g _(T) ^(ζ) m  [Formula 149]

(S305: Data Transmission Step)

With the communication device and via the network, for example, the datatransmission part 240 transmits the ciphertext ct_(Γ) having, aselements, the attribute set Γ inputted in (S302) and c₀, C_(1,j),C_(2,j), and c₃ generated in (S304) to the decryption device 300. As amatter of course, the ciphertext ct_(Γ) may be transmitted to thedecryption device 300 by another method.

In brief, in (S301) through (S304), the encryption device 200 generatesthe ciphertext ct_(Γ) by executing the Enc algorithm indicated inFormula 150. In (S305), the encryption device 200 transmits thegenerated ciphertext ct_(Γ) to the decryption device 300.

$\begin{matrix}{{{{{Enc}\left( {{pk},m,{\Gamma = \left\{ {x_{1},\ldots \mspace{14mu},{x_{n^{\prime}}{x_{j} \in _{q}^{\times}}},{n^{\prime} \leq {n - 1}}} \right\}}} \right)}\text{:}}\mspace{20mu} {\omega,\phi_{0},\phi_{1},{\zeta \overset{U}{\leftarrow}_{q}},{\overset{\rightarrow}{y}:={{\left( {y_{1},\ldots \mspace{14mu},y_{n}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},\mspace{20mu} {c_{0}:=\left( {\omega,0,\zeta,0,\phi_{0}} \right)_{_{0}}},\mspace{20mu} {C_{1,j}:={{\omega \; B_{1,j}} + {\eta_{1}B_{6j}}}},\mspace{20mu} {C_{2,j}:={\sum_{L = 1}^{n}{y_{L}\left( {{\omega \; B_{1,j,L}^{\prime}} + {\phi_{1}B_{6,j,L}^{\prime}}} \right)}}}}}\mspace{20mu} {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{14mu},6,\mspace{20mu} {c_{3}:={g_{T}^{\zeta}m}},\mspace{20mu} {{ct}_{\Gamma}:=\left( {\Gamma,c_{0},\left\{ {C_{1,j},C_{2,j}} \right\}_{{j = 1},\ldots \mspace{14mu},6},c_{3}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{ct}_{\Gamma}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 150} \right\rbrack\end{matrix}$

The function and operation of the decryption device 300 will bedescribed.

As illustrated in FIG. 8, the decryption device 300 includes adecryption key receiving part 310, a data receiving part 320, a spanprogram computation part 330, a complementary coefficient computationpart 340, and a decryption part 350.

With reference to FIG. 12, the process of the Dec algorithm will bedescribed.

(S401: Decryption Key Receiving Step)

With the communication device and via the network, for example, thedecryption key receiving part 310 receives the decryption key sk_(S)transmitted by the key generation device 100. The decryption keyreceiving part 310 also receives the public parameter pk generated bythe key generation device 100.

(S402: Data Receiving Step)

With the communication device and via the network, for example, the datareceiving part 320 receives the ciphertext ct_(Γ) transmitted by theencryption device 200.

(S403: Span Program Computation Step)

With the processing device, the span program computation part 330determines whether or not the access structure S included in thedecryption key sk_(S) received in (S401) accepts F included in theciphertext ct_(Γ) received in (S402). The method for determining whetheror not the access structure S accepts Γ is as described in “2. Conceptfor Implementing Cryptographic Scheme”.

If the access structure S accepts Γ (accept in S403), the span programcomputation part 330 advances the process to (S404). If the accessstructure S rejects Γ (reject in S403), the span program computationpart 330 determines that the ciphertext ct_(Γ) cannot be decrypted withthe decryption key sk_(S), and ends the process.

(S404: Complementary Coefficient Computation Step)

With the processing device, the complementary coefficient computationpart 340 computes I and a constant (complementary coefficient){α_(i)}_(iεI) such that Formula 151 is satisfied.

$\begin{matrix}{\mspace{79mu} {{\overset{->}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},\mspace{20mu} {and}}\; {I \subseteq \left\{ {{i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} {\left\lbrack {{\rho (i)} = {{v_{i}\bigwedge v_{i}} \in \Gamma}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho (i)} = {{{v_{i}\bigwedge v_{i}} \notin \Gamma}}} \right\rbrack \right\}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 151} \right\rbrack\end{matrix}$

(S405: Decryption Element Generation Step)

With the processing device, the decryption part 350 generates decryptionelements D*₁, . . . ,D_(6n), E*_(j), as indicated in Formula 152.

$\begin{matrix}{{\left( {D_{1}^{*},\ldots \mspace{14mu},D_{6n}^{*}} \right):={{\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = v_{i}}\; {\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}k_{i}^{*}}}}},\mspace{20mu} {E_{j}^{*}:={{\sum_{L = 1}^{n - 1}{y_{L - 1}D_{{{({j - 1})}n} + L}^{*}\mspace{14mu} {for}\mspace{14mu} j}} = 1}},\ldots \mspace{14mu},6} & \left\lbrack {{Formula}\mspace{14mu} 152} \right\rbrack\end{matrix}$

(S406: Pairing Operation Step)

With the processing device, the decryption part 350 computes Formula153, and thereby generates a session key K=g_(T) ^(ζ).

K:=e(c ₀ ,k ₀*)·Π_(j=1) ⁶(e(C _(1,j) ,E _(j)*)·e(C _(2,j) ,D_(jn)*))  [Formula 153]

(S407: Message Computation Step)

With the processing device, the decryption part 350 computes m′=c₃/K,and thereby generates a message m′(=m).

In brief, in (S401) through (S407), the decryption device 300 generatesthe message m′(=m) by executing the Dec algorithm indicated in Formula154.

$\begin{matrix}{\mspace{85mu} {{{{{Dec}\left( {{pk},{{sk}_{}:=\left( {,k_{0}^{*},k_{1}^{*},\ldots \mspace{14mu},k_{L}^{*}} \right)},\mspace{20mu} {{ct}_{\Gamma}:=\left( {\Gamma,c_{0},\left\{ {C_{1,j},C_{2,j}} \right\}_{{j = 1},\ldots \mspace{14mu},6},c_{3}} \right)}} \right)}\text{:}}{{{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma},{{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{20mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}},\mspace{20mu} {\overset{->}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}}}}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},\mspace{20mu} {and}}\mspace{14mu} {I \subseteq \left\{ {{{{i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} {{\left\lbrack {{\rho (i)} = {{v_{i}\bigwedge v_{i}} \in \Gamma}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho (i)} = {{{v_{i}\bigwedge v_{i}} \notin \Gamma}}} \right\rbrack \right\}}\overset{->}{y}}}:={{\left( {y_{1},\ldots \mspace{14mu},y_{n}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},{\left( {D_{1}^{*},\ldots \mspace{14mu},D_{6n}^{*}} \right):={{\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = v_{i}}\; {\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}k_{i}^{*}}}}},\mspace{20mu} {E_{j}^{*}:={{\sum_{L = 1}^{n - 1}{y_{L - 1}D_{{{({j - 1})}n} + L}^{*}\mspace{14mu} {for}\mspace{14mu} j}} = 1}},\ldots \mspace{14mu},6,\mspace{20mu} {K:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod_{j = 1}^{6}\left( {{e\left( {C_{1,j},E_{j}^{*}} \right)} \cdot {e\left( {C_{2,j},D_{jn}^{*}} \right)}} \right)}}},\mspace{20mu} {{{return}\mspace{14mu} m^{\prime}}:={c_{3}/{K.}}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 154} \right\rbrack\end{matrix}$

Based on Formula 138, B₁:=(b_(1,1), . . . ,b_(1,6n)) is identified by{B_(i,j), B′_(i,j,L)}_(i,j=1, . . . ,6; L=1, . . . , n). {B_(i,j),B′_(i,j,L)}_(i=1,6; j=1, . . . ,6; L=1, . . . ,)included in the outputof the Setup algorithm is identified by B̂₁:=(b_(1,1), . . . ,b_(1,n),b_(1,5n+1), . . . ,b_(1,6n)).

Then, the Dec algorithm can be described as a Dec′ algorithm indicatedin Formula 155.

$\begin{matrix}{\mspace{65mu} {{{{{Dec}^{\prime}\left( {{pk},{{sk}_{}:=\left( {\overset{->}{v},k_{0}^{*},k_{1}^{*},\ldots \mspace{14mu},k_{L}^{*}} \right)},\mspace{20mu} {{ct}_{\Gamma}:=\left( {\Gamma,c_{0},\left\{ {C_{1,j},C_{2,j}} \right\}_{{j = 1},\ldots \mspace{14mu},6},c_{3}} \right)}} \right)}\text{:}}{{{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma},{{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{20mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}},\mspace{20mu} {\overset{->}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}}}}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},\mspace{20mu} {and}}\mspace{14mu} {I \subseteq \left\{ {{{{i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} {{\left\lbrack {{\rho (i)} = {{v_{i}\bigwedge v_{i}} \in \Gamma}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho (i)} = {{{v_{i}\bigwedge v_{i}} \notin \Gamma}}} \right\rbrack \right\}}\overset{->}{y}}}:={{\left( {y_{1},\ldots \mspace{14mu},y_{n}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},\mspace{20mu} {c_{1} = \begin{pmatrix}\overset{\overset{n}{}}{{y_{1}C_{1,1}},\ldots \mspace{14mu},{y_{n - 1}C_{1,1}C_{2,1}},} \\\overset{\overset{n}{}}{{y_{1}C_{1,2}},\ldots \mspace{14mu},{y_{n - 1}C_{1,2}},C_{2,2}}\end{pmatrix}},\mspace{20mu} {\ldots \mspace{14mu} \begin{pmatrix}\overset{\overset{n}{}}{{y_{1}C_{1,5}},\ldots \mspace{14mu},{y_{n - 1}C_{1,5}C_{2,5}},} \\\overset{\overset{n}{}}{{y_{1}C_{1,6}},\ldots \mspace{14mu},{y_{n - 1}C_{1,6}},C_{2,6}}\end{pmatrix}},\mspace{20mu} {{that}\mspace{14mu} {is}},{c_{1} = \left( {{\overset{\overset{n}{}}{{\omega \; \overset{->}{y}},}\overset{\overset{2n}{}}{0^{2n}}},\overset{\overset{2n}{}}{0^{2n}},\overset{\overset{n}{}}{\phi_{1}\overset{->}{y}}} \right)_{_{1}}},\; {K:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {e\left( {c_{1},{{\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = v_{i}}\; {\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}k_{i}^{*}}}}} \right)}}},\mspace{20mu} {{{return}\mspace{14mu} m^{\prime}}:={c_{3}/{K.}}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 155} \right\rbrack\end{matrix}$

As indicated in Formula 156, when the Dec′ algorithm is employed,K:=g^(ζ) _(T) is obtained. Therefore, the message m′ (=m) can beobtained by dividing c₃=g^(ζ) _(T)m by K.

$\begin{matrix}{{{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = v_{i}}\; {{e\left( {c_{1},k_{i}^{*}} \right)}^{\alpha_{i}} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {v_{i}}}{e\left( {c_{1},k_{i}^{*}} \right)}^{\alpha_{i}/{({{\overset{\rightarrow}{v}}_{i} \cdot \overset{\rightarrow}{y}})}}}}}} = {{g_{T}^{{{- \omega}\; s_{0}} + \zeta}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = v_{i}}\; {g_{T}^{{\omega\alpha}_{i}s_{i}}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {v_{i}}}g_{T}^{{\omega\alpha}_{i}{{s_{i}{({{\overset{\rightarrow}{v}}_{i} \cdot \overset{\rightarrow}{y}})}}/{({{\overset{\rightarrow}{v}}_{i} \cdot \overset{\rightarrow}{y}})}}}}}}} = {g_{T}^{{\omega {({{- s_{0}} + {\sum\limits_{i \in I}\; {\alpha_{i}s_{i}}}})}} + \zeta} = {g_{T}^{\zeta}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 156} \right\rbrack\end{matrix}$

In the KP-ABE scheme described in Embodiment 1, the ciphertext ct_(Γ)consists of a total of 17 elements of G, which are five elements in theelement c₀, and 12 elements in the element C_(1,j) and the elementC_(2j) for each integer j=1, . . . ,6, as well as one element of G_(T)in the element c₃. That is, the ciphertext ct_(Γ) is constant-size in n.

In the KP-ABE scheme described in Embodiment 1, the decryption process(Dec algorithm) executes only a total of 17 pairing operations, whichare five operations in e(c₀, k*₀) indicated in Formula 153 and 12operations in Π_(j=1) ⁶(e(C_(1,j), E*_(j))·e(C_(2,j), D*_(jn))). Thatis, the number of pairing operations required for the decryption processis small.

Embodiment 2

In Embodiment 2, a ciphertext-policy ABE (CP-ABE) scheme with aconstant-size secret key will be described.

In Embodiment 2, description will be omitted for what is the same as inEmbodiment 1, and differences from Embodiment 1 will be described.

First, a basic structure of a cryptographic scheme according toEmbodiment 2 will be described.

Second, a configuration of a cryptographic system 10 that implements thecryptographic scheme according to Embodiment 2 will be described.

Third, the cryptographic scheme according to Embodiment 2 will bedescribed in detail.

<1. Basic Structure of Cryptographic Scheme>

The structure of the CP-ABE scheme will be briefly described.Ciphertext-policy signifies that a policy, namely an access structure,is embedded in a ciphertext.

The CP-ABE scheme includes four algorithms: Setup, KeyGen, Enc, and Dec.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input asecurity parameter λ and an upper limit n for of the number ofattributes for a ciphertext, and outputs a public parameter pk and amaster key sk.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input thepublic parameter pk, the master key sk, and an attribute setΓ:={x_(j)}_(1≦j≦n′), and outputs a decryption key sk_(Γ).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input thepublic parameter pk, a message m, and an access structure S:=(M, ρ), andoutputs a ciphertext ct_(S).

(Dec)

A Dec algorithm is an algorithm that takes as input the public parameterpk, the decryption key sk_(Γ), and the ciphertext ct_(S), and outputsthe message m or a distinguished symbol ⊥.

<2. Configuration of Cryptographic System 10 that Implements CP-ABEScheme>

FIG. 13 is a configuration diagram of the cryptographic system 10 thatimplements the CP-ABE scheme according to Embodiment 2.

The cryptographic system 10 includes a key generation device 100, anencryption device 200 (an example of the transmission device), and adecryption device 300 (an example of the reception device).

The key generation device 100 executes the Setup algorithm taking asinput a security parameter λ and an upper limit n for the number ofattributes for a ciphertext, and thereby generates a public parameter pkand a master key sk. Then, the key generation device 100 publishes thegenerated public parameter pk. The key generation device 100 alsoexecutes the KeyGen algorithm taking as input an attribute set Γ,thereby generates a decryption key sk_(Γ), and transmits the decryptionkey sk_(Γ) to the decryption device 300 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input thepublic parameter pk, a message m, and an access structure S, and therebygenerates a ciphertext ct_(S). The encryption device 200 transmits thegenerated ciphertext ct_(S) to the decryption device 300.

The decryption device 300 executes the Dec algorithm taking as input thepublic parameter pk, the decryption key sk_(Γ), and the ciphertextct_(S), and outputs the message m or a distinguished symbol ⊥.

<3. Cryptographic Scheme>

FIG. 14 is a configuration diagram of the key generation device 100according to Embodiment 2. FIG. 15 is a configuration diagram of theencryption device 200 according to Embodiment 2. The configuration ofthe decryption device 300 is the same as the configuration of thedecryption device 300 according to Embodiment 1 illustrated in FIG. 8.

FIG. 16 is a flowchart illustrating the process of the KeyGen algorithmaccording to Embodiment 2. FIG. 17 is a flowchart illustrating theprocess of the Enc algorithm according to Embodiment 2. The process ofthe Setup algorithm and the process of the Dec algorithm have the sameflow as that of the process of the Setup algorithm and the process ofthe Dec algorithm according to Embodiment 1 indicated in FIG. 9 and FIG.12, respectively.

The function and operation of the key generation device 100 will bedescribed.

As illustrated in FIG. 14, the key generation device 100 includes amaster key generation part 110, a master key storage part 120, aninformation input part 130, a decryption key generation part 140, and akey transmission part 150. The master key generation part 110 includes aspace generation part 111, a matrix generation part 112, a basisgeneration part 113, and a key generation part 114. The decryption keygeneration part 140 includes a random number generation part 143 and akey element generation part 144.

With reference to FIG. 9, the process of the Setup algorithm will bedescribed.

The process of (S101) through (S102) is the same as that in Embodiment1.

(S103: Basis B Generation Step)

With the processing device, the basis generation part 113 generates abasis Do, a variable D_(i,j), and a variable D′_(i,j,L), as indicated inFormula 157, similarly to the basis B₀, the variable B_(i,j), and thevariable B′_(i,j,L) in Embodiment 1.

b _(0,i):=(χ_(0,i,1), . . . ,χ_(0,i,5)

=Σ_(j=1) ⁵χ_(0,i,j) a _(j) for i=1, . . . 5,

₀:=(b _(0,1) , . . . ,b _(0,5)),

D _(i,j):=μ_(i,j) g,D _(i,j,L)′:=μ_(i,j,L) ′g for i,j=1, . . . ,6; L=1,. . . ,n [  Formula 157]

With the processing device, the basis generation part 113 also generatesa basis D*₀ and a basis D*₁, as indicated in Formula 158, similarly tothe basis B*₀ and the basis B*₁ in Embodiment 1.

for t=0,1

(θ_(t,i,j))_(i,j=1, . . . ,N) _(t) :=ψ·(X _(t) ^(T))⁻¹,

b _(t,i)*:=(θ_(t,i,1), . . . ,θ_(t,i,N) _(t)

=Σ_(j=1) ^(N) ^(t) θ_(t,i,j) a _(j) for i=1, . . . N _(t),

_(t)*:=(b _(t,1) *, . . . ,b _(t,N) _(t) *)  [Formula 158]

Then, the basis generation part 113 sets the basis D*₀ as a basis B₀,the basis D₀ as a basis B*₀, and the basis D*₁ as a basis B₁. The basisgeneration part 113 also sets the variable D_(i,j) as a variableB*_(i,j) and the variable D′_(i,j,L) as a variable B′*_(i,j,L) for eachinteger i, j=1, . . . ,6 and each integer L=1, . . . , n.

(S104: Basis B̂ Generation Step)

With the processing device, the key generation part 114 generates abasis B̂₀, a basis B̂₁, a basis B̂*₀, and a basis B̂*₁, as indicated inFormula 159.

₀:=(b _(0,1) ,b _(0,3) ,b _(0,4)),

₁=(b _(1,1) , . . . ,b _(1,n) , b _(1,3n+1) , . . . ,b _(1,5n)),

₀*:=(b _(0,1) *,b _(0,3) *,b _(0,5)*),

₁*:=(b _(1,1) . . . ,b _(1,n) *, b _(1,5n+1) *, . . . ,b _(1,6n)*)={D_(i,j) ,D _(i,j,L)}_(i=1,6; j=1, . . . ,6; L=1, . . . , n)  [Formula159]

The process of (S105) is the same as that in Embodiment 1.

In brief, in (S101) through (S105), the key generation device 100generates the public parameter pk and the master secret key sk byexecuting the Setup algorithm indicated in Formula 161, the Setupalgorithm using an algorithm G^(ABE(2)) _(ob) indicated in Formula 160.Note that the algorithm G^(CP-ABE(2)) _(ob) uses the algorithmG^(ABE(1)) _(ob) indicated in Formula 136, as indicated in Formula 160.

$\begin{matrix}{\mspace{79mu} {{{_{ob}^{{ABE}{(2)}}\left( {1^{\lambda},6,n} \right)}\text{:}}\mspace{20mu} {{\left( {{param}_{n},_{0},_{0}^{*},\left\{ {D_{i,j},D_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots \mspace{14mu},{6;{L = 1}},\ldots \mspace{14mu},n},_{1}^{*}} \right)\overset{R}{\leftarrow}{_{ob}^{(1)}\left( {1^{\lambda},6,n} \right)}},{_{0}:=_{0}^{*}},{_{0}^{*}:=_{0}},{_{1}:=_{1}^{*}},{_{i,j}^{*}:=D_{i,j}},{B_{i,j,L}^{\prime*} = D_{i,j,L}^{\prime}}}\mspace{79mu} {{{for}\mspace{14mu} i},{j = 1},\ldots \mspace{14mu},{6;{L = 1}},\ldots,n,\mspace{20mu} {{return}\mspace{14mu} {\left( {{param}_{n},_{0},\mspace{20mu} _{0}^{*},_{1},\left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{i,{j = 1},\ldots \mspace{14mu},{6;{L = 1}},\ldots \mspace{14mu},n}} \right).}}}}} & \left\lbrack {{Formula}\mspace{14mu} 160} \right\rbrack \\{\mspace{79mu} {{{{Setup}\left( {1^{\lambda},n} \right)}\text{:}}{{\left( {{param}_{n},_{0},_{0}^{*},_{1},\left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{i,{j = 1},\ldots \mspace{14mu},{6;{L = 1}},\ldots \mspace{14mu},n}} \right)\overset{R}{\leftarrow}{_{ob}^{{ABE}{(2)}}\left( {1^{\lambda},6,n} \right)}},\mspace{20mu} {{\hat{}}_{0}:=\left( {b_{0,1}b_{0,3}b_{0,4}} \right)},\mspace{20mu} {{\hat{}}_{1}:=\left( {b_{1,1},\ldots \mspace{14mu},b_{1,n},b_{1,3,{n + 1}},\ldots \mspace{14mu},b_{1,{5n}}} \right)},\mspace{20mu} {{\hat{}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,5}^{*}} \right)},{{\hat{}}_{1}^{*}:={\left( {b_{1,1}^{*},\ldots \mspace{14mu},b_{1,n}^{*},b_{1,{{5n} + 1}}^{*},\ldots \mspace{14mu},b_{1,{6n}}^{*}} \right) = \left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{{i = 1},{6;{j = 1}},\ldots \mspace{14mu},{6;{L = 1}},\ldots \mspace{14mu},n}}},\mspace{20mu} {{pk}:=\left( {1^{\lambda},{param}_{n},\left\{ {\hat{}}_{t} \right\}_{{t = 0},1}} \right)},{{sk}:=\left\{ {\hat{}}_{t}^{*} \right\}_{{t = 0},1}},\mspace{20mu} {{return}\mspace{14mu} {pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 161} \right\rbrack\end{matrix}$

The public parameter is published via the network, for example, and ismade available for the encryption device 200 and the decryption device300.

With reference to FIG. 16, the process of the KeyGen algorithm will bedescribed.

(S501: Information Input Step)

With the input device, the information input part 130 takes as input anattribute set Γ:={x₁, . . . ,x_(n′)|x_(j)εFq^(X), n′≦n−1}. Note thatattribute information of a user of a decryption key sk_(Γ) is set in theattribute set Γ, for example.

(S502: Random Number Generation Step)

With the processing device, the random number generation part 143generates random numbers, as indicated in Formula 162.

$\begin{matrix}{\omega,\phi_{0},{\phi_{1}\overset{U}{\leftarrow}_{q}}} & \left\lbrack {{Formula}\mspace{14mu} 162} \right\rbrack\end{matrix}$

(S503: Key Element Generation Step)

With the processing device, the key element generation part 144generates an element k*₀ of the decryption key sk_(Γ), as indicated inFormula 163.

k ₀*:=

  [Formula 163]

With the processing device, the key element generation part 144 alsogenerates elements K*_(1,j) and K*_(2,j) of the decryption key sk_(Γ),as indicated in Formula 164.

for j=1, . . . ,6

ωB _(1,j)*+φ₁ B _(6,j)*,

K _(2,j):=Σ_(L=1) ^(n) y _(L)(ωB _(1,j,L)′*+φ₁ B _(6,j,L)′*)  [Formula164]

where

{right arrow over (y)}:=(y ₁ , . . . , y _(n)) such that Σ_(j=0) ^(n-1)y _(n-j) z ^(j) =z ^(n-1-n)′·Π_(j=1) ^(n)′(z−x _(j))

(S504: Key Transmission Step)

With the communication device and via the network, for example, the keytransmission part 150 transmits the decryption key sk_(Γ) having, aselements, the attribute set Γ inputted in (S501) and k*₀, K*_(i,j), andK*_(2,j) generated in (S503) to the decryption device 300 in secrecy. Asa matter of course, the decryption key sk_(Γ) may be transmitted to thedecryption device 300 by another method.

In brief, in (S501) through (S503), the key generation device 100generates the decryption key sk_(Γ) by executing the KeyGen algorithmindicated in Formula 165. In (S504), the key generation device 100transmits the generated decryption key sk_(Γ) to the decryption device300.

$\begin{matrix}{{{{{KeyGen}\left( {{pk},{sk},{\Gamma = \left\{ {x_{1},\ldots \mspace{14mu},{x_{n}^{\prime}{x_{j} \in _{q}^{\times}}},{n^{\prime} \leq {n - 1}}} \right\}}} \right)}\text{:}}\mspace{20mu} {\omega,\phi_{0},{\phi_{1}\overset{U}{\leftarrow}_{q}},{\overset{->}{y}:={{\left( {y_{1},\ldots \mspace{14mu},y_{n}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},\mspace{20mu} {k_{0}^{*}:=\left( {\omega,0,1,0,\phi_{0}} \right)_{_{0}^{*}}},\mspace{20mu} {K_{1,j}:={{\omega \; B_{1,j}^{*}} + {\phi_{1}B_{6,j}^{*}}}},\mspace{20mu} {K_{2,j}:={\sum_{L = 1}^{n}{y_{L}\left( {{\omega \; B_{i,j,L}^{\prime*}} + {\phi_{1}B_{6,j,L}^{\prime*}}} \right)}}}}}\mspace{20mu} {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{14mu},6,\mspace{20mu} {{sk}_{\Gamma}:=\left( {\Gamma,k_{0}^{*},\left\{ {K_{1,j},K_{2,j}} \right\}_{{j = 1},\ldots \mspace{14mu},6}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{sk}_{\Gamma}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 165} \right\rbrack\end{matrix}$

The function and operation of the encryption device 200 will bedescribed.

As illustrated in FIG. 15, the encryption device 200 includes a publicparameter receiving part 210, an information input part 220, anencrypted data generation part 230, and a data transmission part 240.The encrypted data generation part 230 includes a random numbergeneration part 231, a cipher element generation part 232, an f vectorgeneration part 233, and an s vector generation part 234.

With reference to FIG. 17, the process of the Enc algorithm will bedescribed.

The process of (S601) is the same as the process of (S301) indicated inFIG. 11.

(S602: Information Input Step)

With the input device, the information input part 220 takes as input anaccess structure S:=(M, ρ). Note that the access structure S is to beset according to the conditions of a system to be implemented. Note alsothat attribute information of a user capable of decryption is set in pof the access structure S, for example.

With the input device, the information input part 220 also takes asinput a message m to be transmitted to the decryption device 300.

(S603: f Vector Generation Step)

With the processing device, the f vector generation part 233 randomlygenerates a vector {right arrow over (f)}, as indicated in Formula 166.

$\begin{matrix}{\overset{->}{f}\overset{U}{\leftarrow}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 166} \right\rbrack\end{matrix}$

(S604: s Vector Generation Step)

With the processing device, the s vector generation part 234 generates avector {right arrow over (s)}^(T):=(s₁, . . . ,s_(L))^(T), as indicatedin Formula 167.

{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 167]

With the processing device, the s vector generation part 234 alsogenerates a value s₀, as indicated in Formula 168.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 168]

(S605: Random Number Generation Step)

With the processing device, the random number generation part 231generates random numbers, as indicated in Formula 169.

$\begin{matrix}{\eta_{0},{\zeta \overset{U}{\leftarrow}_{q}},{{{\overset{->}{\eta}}_{i}\overset{U}{\leftarrow}{_{q}^{2n}\mspace{14mu} {for}\mspace{14mu} i}} = 1},\ldots \mspace{14mu},L,{{\theta_{i}\overset{U}{\leftarrow}{_{q}\mspace{14mu} {for}\mspace{14mu} i}} = 1},\ldots \mspace{14mu},L} & \left\lbrack {{Formula}\mspace{14mu} 169} \right\rbrack\end{matrix}$

(S606: Cipher Element Generation Step)

With the processing device, the cipher element generation part 232generates an element c₀ of a ciphertext ct_(S), as indicated in Formula170.

c ₀:=(−s ₀,0,ζ,η₀,0

  [Formula 170]

With the processing device, the cipher element generation part 232 alsogenerates an element c_(i) of the ciphertext ct_(S) for each integeri=1, . . . , L, as indicated in Formula 171.

$\begin{matrix}{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L,{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots \mspace{14mu},v_{i},1} \right)},{{{if}\mspace{14mu} {\rho (i)}} = v_{i}},{c_{i}:=\left( {\overset{\overset{n}{}}{{{s_{i}{\overset{->}{e}}_{t,1}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\overset{\overset{2n}{}}{0^{2n},}\; \overset{\overset{2n}{}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n}{}}{0^{n}}} \right)_{_{1}}},{{{if}\mspace{14mu} {\rho (i)}} = {v_{i}}},{c_{i}:=\left( {\overset{\overset{n_{t}}{}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},}\mspace{11mu} \overset{\overset{2n}{}}{0^{2n},}\overset{\overset{2n}{}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n}{}}{0^{n}}} \right)_{_{1}}}} & \left\lbrack {{Formula}\mspace{14mu} 171} \right\rbrack\end{matrix}$

With the processing device, the cipher element generation part 232 alsogenerates an element c₃ of the ciphertext ct_(S), as indicated inFormula 172.

c ₃ :=g _(T) ^(ζ) m  [Formula 172]

(S607: Data Transmission Step)

With the communication device and via the network, for example, the datatransmission part 240 transmits the ciphertext ct_(S) having, aselements, the access structure S inputted in (S602) and c₀, c₁, . . .,c_(L), and c₃ generated in (S606) to the decryption device 300. As amatter of course, the ciphertext ct_(S) may be transmitted to thedecryption device 300 by another method.

In brief, in (S601) through (S606), the encryption device 200 generatesthe ciphertext ct_(S) by executing the Enc algorithm indicated inFormula 173. In (S607), the encryption device 200 transmits thegenerated ciphertext ct_(S) to the decryption device 300.

$\begin{matrix}{{{{Enc}\left( {{pk},m,{ = \left( {M,\rho} \right)}} \right)}\text{:}}{{\overset{\rightarrow}{f}\overset{U}{\leftarrow}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots \mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\eta_{0},{\zeta \overset{U}{\leftarrow}_{q}},{c_{0}:=\left( {{- s_{0}},0,\zeta,\eta_{0},0} \right)_{_{0}}},{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots \mspace{14mu},v_{i},1} \right)},{{\overset{->}{\eta}}_{i}\overset{U}{\leftarrow}_{q}^{2n}}}{{{{if}\mspace{14mu} {\rho (i)}} = {v_{i} \in _{q}^{\times}}},{\theta_{i}\overset{U}{\leftarrow}_{q}}}{{c_{i}:=\left( {\overset{\overset{n}{}}{{{s_{i}{\overset{->}{e}}_{t,1}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\overset{\overset{2n}{}}{0^{2n},}\; \overset{\overset{2n}{}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n}{}}{0^{n}}} \right)_{_{1}}},{{{if}\mspace{14mu} {\rho (i)}} = {v_{i}}},{c_{i}:=\left( {\overset{\overset{n_{t}}{}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},}\mspace{11mu} \overset{\overset{2n}{}}{0^{2n},}\overset{\overset{2n}{}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n}{}}{0^{n}}} \right)_{_{1}}},{c_{3}:={g_{T}^{\zeta}m}},{{ct}_{}:=\left( {,c_{0},c_{1},\ldots \mspace{14mu},c_{L},c_{3}} \right)},{{return}\mspace{14mu} {{ct}_{}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 173} \right\rbrack\end{matrix}$

The function and operation of the decryption device 300 will bedescribed.

With reference to FIG. 12, the process of the Dec algorithm will bedescribed.

(S401: Decryption Key Receiving Step)

With the communication device and via the network, for example, thedecryption key receiving part 310 receives the decryption key sk_(Γ)transmitted by the key generation device 100. The decryption keyreceiving part 310 also receives the public parameter pk generated bythe key generation device 100.

(S402: Data Receiving Step)

With the communication device and via the network, for example, the datareceiving part 320 receives the ciphertext ct_(S) transmitted by theencryption device 200.

(S403: Span Program Computation Step)

With the processing device, the span program computation part 330determines whether or not the access structure S included in theciphertext ct_(S) received in (S402) accepts Γ included in thedecryption key sk_(r) received in (S401).

If the access structure S accepts Γ (accept in S403), the span programcomputation part 330 advances the process to (S404). If the accessstructure S rejects Γ (reject in S403), the span program computationpart 330 determines that the ciphertext ct_(Γ) cannot be decrypted withthe decryption key sk_(S), and ends the process.

The process of (S404) is the same as that in Embodiment 1.

(S405: Decryption Element Generation Step)

With the processing device, the decryption part 350 generates cipherelements D₁, . . . ,D*_(6n), and E*_(j), as indicated in Formula 174.

$\begin{matrix}{{\left( {D_{1}^{*},\ldots \mspace{14mu},D_{6n}^{*}} \right):={{\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = v_{i}}\; {\alpha_{i}c_{i}}} + {\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}c_{i}}}}},\mspace{20mu} {E_{j}^{*}:={{\sum_{L = 1}^{n - 1}{y_{L - 1}D_{{{({j - 1})}n} + L}^{*}\mspace{14mu} {for}\mspace{14mu} j}} = 1}},\ldots \mspace{14mu},6} & \left\lbrack {{Formula}\mspace{14mu} 174} \right\rbrack\end{matrix}$

(S406: Pairing Operation Step)

With the processing device, the decryption part 350 computes Formula175, and thereby generates a session key K=g_(T) ^(ζ).

K:=e(c ₀ ,k ₀*)·Π_(j=1) ⁶(e(E _(j) *,K _(1,j))·e(D _(jn) *,K_(2,j)))  [Formula 175]

The process of (S407) is the same as that in Embodiment 1.

In brief, in (S401) through (S407), the decryption device 300 generatesthe message m′(=m) by executing the Dec algorithm indicated in Formula176.

$\begin{matrix}{\mspace{79mu} {{{{{Dec}\left( {{pk},{{sk}_{\Gamma}:=\left( {\Gamma,k_{0}^{*},\left\{ {K_{1,j},K_{2,j}} \right\}_{{j = 1},\ldots \mspace{14mu},6}} \right)},\mspace{20mu} {{ct}_{}:=\left( {,c_{0},c_{1},\ldots \mspace{14mu},c_{L},c_{3}} \right)}} \right)}:\mspace{20mu} {{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma}},\mspace{20mu} {{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}},\mspace{20mu} {\overset{->}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}}}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},\mspace{20mu} {and}}{I \subseteq \left\{ {{{{i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} {{\left\lbrack {{\rho (i)} = {{v_{i}\bigwedge v_{i}} \in \Gamma}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho (i)} = {{{v_{i}\bigwedge v_{i}} \notin \Gamma}}} \right\rbrack \right\}}\overset{->}{y}}}:={{\left( {y_{1},\ldots \mspace{14mu},y_{n}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},{\left( {D_{1}^{*},\ldots \mspace{14mu},D_{6n}^{*}} \right):={{\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = v_{i}}\; {\alpha_{i}c_{i}}} + {\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {v_{i}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}c_{i}}}}},\mspace{20mu} {E_{j}^{*}:={{\sum_{L = 1}^{n - 1}{y_{L - 1}D_{{{({j - 1})}n} + L}^{*}\mspace{14mu} {for}\mspace{14mu} j}} = 1}},\ldots \mspace{14mu},{{6\mspace{20mu} K}:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod_{j = 1}^{6}\left( {{e\left( {E_{j}^{*},K_{1,j}} \right)} \cdot {e\left( {D_{jn}^{*},K_{2,j}} \right)}} \right)}}},\mspace{20mu} {{{return}\mspace{14mu} m^{\prime}}:={c_{3}/{K.}}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 176} \right\rbrack\end{matrix}$

In the CP-ABE scheme described in Embodiment 2, the decryption keysk_(Γ) consists of a total of 17 elements of G, which are five elementsin the element k₀, and 12 elements in the element C_(1,j) and theelement C_(2,j) for each integer j=1, . . . ,6. That is, the decryptionkey sk_(Γ) is constant-size in n.

In the CP-ABE scheme described in Embodiment 2, the decryption process(Dec algorithm) executes only a total of 17 pairing operations,similarly as in the KP-ABE scheme described in Embodiment 1. That is,the number of pairing operations required for the decryption process issmall.

Embodiment 3

In Embodiment 3, an FE scheme to which the ABE scheme described inEmbodiment 1 or 2 is applied will be described.

In Embodiment 3, description will be omitted for what is the same as inEmbodiment 1 or 2, and differences from Embodiment 1 or 2 will bedescribed.

A KP-FE scheme to which the KP-ABE scheme described in Embodiment 1 isapplied will be described herein.

In the KP-ABE scheme described in Embodiment 1, the elements (C_(1,j),C_(2,j)) of the ciphertext are associated with the elements{k*_(i)}_(i=1, . . . , L) of the decryption key. In the KP-FE scheme,elements (C_(1,j,t), C_(2,j,t)) of a ciphertext and elements{k*_(i,t)}_(i=1, . . . , L) of a decryption key are generated for eachcategory t. Then, the elements (C_(1,j,t), C_(2,j,t)) of the ciphertextare associated with the elements {k*_(i,t)}_(i=1, . . . , L) of thedecryption key.

The configurations of a key generation device 100, an encryption device200, and a decryption device 300 are the same as the configurations ofthe key generation device 100, the encryption device 200, and thedecryption device 300 according to Embodiment 1 illustrated in FIG. 6 toFIG. 8, respectively.

The process of each algorithm has the same flow as that of the processof each algorithm according to Embodiment 1 illustrated in FIG. 9 toFIG. 12.

With reference to FIG. 9, the process of the Setup algorithm will bedescribed.

(S101: Space Generation Step)

The space generation part 111 generates a parameter param_(G):=(q, G,G_(T), g, e), similarly as in Embodiment 1.

Further, the space generation part 111 sets N₀:=5 and N_(1,t):=6n_(t)for each integer t=1, . . . , d, where d is the value representing thenumber of attribute categories and an integer of 1 or greater, and n_(t)is an integer of 1 or greater. Then, with the processing device, thespace generation part 111 executes G_(dpvs) taking as input a securityparameter 1^(λ), N₀, and the parameter param_(G) of symmetric bilinearpairing groups, and thereby generates a parameter param v₀:=(q, V₀,G_(T), A, e) of dual pairing vector spaces. With the processing device,the space generation part 111 also executes G_(dpvs) taking as input thesecurity parameter 1^(λ), N_(1,t), and the parameter param_(G) ofsymmetric bilinear pairing groups for each integer t=1, . . . , d, andthereby generates a parameter param_(V1,t):=(q, V_(1,t), G_(T), A, e) ofdual pairing vector spaces.

(S102: Linear Transformation Generation Step)

With the processing device, the matrix generation part 112 generates alinear transformation X₀ and a linear transformation{X_(1,t)}_(t=1, . . . , d).

The linear transformation X₀ is the same as that in Embodiment 1. Thelinear transformation {X_(1,t)}_(t−1, . . . , d) is generated asindicated in Formula 177.

$\begin{matrix}{{{X_{1,t}\overset{U}{\leftarrow}{{\mathcal{L}\left( {6,n_{t},_{q}} \right)}\mspace{14mu} {for}\mspace{14mu} t}} = 1},\ldots \mspace{14mu},d} & \left\lbrack {{Formula}\mspace{14mu} 177} \right\rbrack\end{matrix}$

In the following, {μ_(i,j,t),μ′_(i,j,L,t)}_(i,j=1, . . . ,6; L=1, . . . , n) denotes non-zeroelements in the linear transformation X_(1,t).

(S103: Basis B Generation Step)

With the processing device, the basis generation part 113 generates abasis B₀, a variable B_(i,j,t), and a variable B′_(i,j,L,t), asindicated in Formula 178.

$\begin{matrix}{{b_{0,i}:={\left( {\chi_{0,i,1,\; \ldots \;,}\chi_{0,i,5}} \right)_{} = {\sum_{j = 1}^{5}{\chi_{0,i,j}a_{j}}}}}{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},5,{_{0}:=\left( {b_{0,1},\ldots \mspace{11mu},b_{0,5}} \right)},{B_{i,j,t}:={\mu_{i,j,t}g}},{B_{i,j,L,t}^{\prime}:={\mu_{i,j,L,t}^{\prime}g{for}\mspace{14mu} i}},{j = 1},\ldots \mspace{11mu},{6;{L = 1}},\ldots \mspace{11mu},{n_{t};{t = 1}},\ldots \mspace{11mu},d}} & \left\lbrack {{Formula}\mspace{14mu} 178} \right\rbrack\end{matrix}$

With the processing device, the basis generation part 113 generates abasis B*₀ and a basis B*_(1,t), as indicated in Formula 179.

(θ_(0,i,j))_(i,j=1, . . . ,5):=ψ·(X ₀ ^(T))⁻¹,

b _(0,i)*:=(θ_(0,i,1), . . . ,θ_(0,i,5)

=Σ_(j=1) ⁵θ_(0,i,j) a _(j) for i=1, . . . ,5,

₀*:=(b _(0,1) *, . . . ,b _(0,5)*),[Formula 179]

for t=1, . . . , d,

(θ_(t,i,j))_(i,j=1, . . . ,N) _(1,t) :=ψ·(X _(1,t) ^(T))⁻¹,

b _(1,i,t)*:=(θ_(1,i,1,t), . . . ,θ_(1,i,N) _(1,t) _(,t)

=Σ_(j=1) ^(N) ^(1,t) θ_(1,i,j,t) a _(j) for i=1, . . . ,N _(1,t),

_(1,t)*:=(b _(1,1,t) *, . . . ,b _(1,N) _(1,t) _(,t)*)

(S104: Basis B̂ Generation Step)

With the processing device, the key generation part 114 generates abasis B̂₀, a basis B̂_(1,t), a basis B̂*₀, and a basis B̂*_(1,t), asindicated in Formula 180.

₀:=(b _(0,1) ,b _(0,3) ,b _(0,5)),

for t=1, . . . ,d,

_(1,t):=(b _(1,1,t) , . . . b _(1,n) _(t) _(,t) ,b _(1,5n) _(t) _(+1,t), . . . ,b _(1,6n) _(t) _(,t))={B _(i,j,t) ,B_(i,j,L,t)′}_(i=1,6; j=1, . . . , L=1, . . . , n) _(t)_(; t=1, . . . , d),

₀*:=(b _(0,1) *,b _(0,3) *,b _(0,4)*),

for t=1, . . . ,d,

_(1,t)*:=(b _(1,1,t) *, . . . ,b _(1,n) _(t) _(,t) *,b _(1,3n) _(t)_(+1,t) , . . . ,b _(1,5n) _(t) _(,t)*)  [Formula 180]

(S105: Master Key Generation Step)

With the processing device, the key generation part 114 generates apublic parameter pk:=(1 ^(λ), param_(n), B̂₀, {B̂_(1,t)}_(t=1, . . . , d))and a master secret key sk:=(B̂*₀, {B̂*_(1,t)}_(t=1, . . . , d). Then, thekey generation part 114 stores the public parameter pk and the mastersecret key sk in the master key storage part 120.

Note param_(n):=(param_(V0),{param_(V1,t)}_(t=1, . . . , d) ,g _(T)).

In brief, in (S101) through (S105), the key generation device 100generates the public parameter pk and the master secret key sk byexecuting the Setup algorithm indicated in Formula 182, the Setupalgorithm using an algorithm G^(FE(1)) _(ob) indicated in Formula 181.

$\begin{matrix}{{{\mspace{85mu} {{{{{_{ob}^{{FE}{(1)}}\left( {1^{\lambda},6,n_{t}} \right)}\text{:}}\mspace{20mu} {{param}_{}:={\left( {q,,_{T},g,e} \right)\overset{R}{}{_{bpg}\left( 1^{\lambda} \right)}}}},\mspace{20mu} {N_{0}:=5},{N_{1,t}:={6n_{t}}},{{{for}\mspace{14mu} t} = 1},\ldots \mspace{11mu},d,{{param}_{_{0}}:={\left( {q,_{t},_{T},,e} \right):={_{dpvs}\left( {1^{\lambda},N_{0},{param}_{}} \right)}}},{{param}_{_{1,t}}:={\left( {q,_{t},_{T},,e} \right):={{{_{dpvs}\left( {1^{\lambda},N_{1,t},{param}_{}} \right)}\mspace{14mu} {for}\mspace{14mu} t} = 1}}},\ldots \mspace{11mu},d,{\psi \overset{U}{}_{q}^{x}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},{{param}_{n}:=\left( {{param}_{_{0}},\left\{ {param}_{_{1,t}} \right\}_{{t = 1},\ldots \mspace{11mu},d},g_{T}} \right)},\mspace{20mu} {X_{0}:={\left( \chi_{0,i,j} \right)_{i,{j = 1},\ldots,5}\overset{U}{}{{GL}\left( {N_{0,}_{q}} \right)}}},\mspace{20mu} {{{X_{1,t}\overset{U}{}{\mathcal{L}\left( {6,n_{t},_{q}} \right)}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\ldots \mspace{11mu},d,\mspace{79mu} {hereafter},\mspace{79mu} \left\{ {\mu_{i,j,t},\mu_{i,j,L,t}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},{\ldots d}}}\mspace{11mu} \mspace{76mu} {{{denotes}\mspace{14mu} {non}\text{-}{zero}\mspace{14mu} {entries}\mspace{14mu} {of}\mspace{14mu} X_{1,t}},\mspace{79mu} {b_{0,i}:={\left( {\chi_{0,i,1,\ldots,}\chi_{0,i,5}} \right)_{} = {\sum_{j = 1}^{5}{\chi_{0,i,j}a_{j}}}}}}}\mspace{11mu} \mspace{76mu}\quad}{\quad{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},5,{_{0}:=\left( {b_{0,1},\ldots \mspace{11mu},b_{0,5}} \right)},\mspace{79mu} {B_{i,j,t}:={\mu_{i,j,t}g}},{B_{i,j,L,t}^{\prime}:=\; {\mu_{i,j,L,t}^{\prime}g}}}\mspace{11mu}\quad}}{\quad\mspace{79mu} {{{for}\mspace{14mu} i},{j = 1},\ldots \mspace{11mu},{6;{L = 1}},\ldots \mspace{11mu},{n_{t};{t = 1}},\ldots \mspace{11mu},{{d\mspace{20mu}\left( \vartheta_{0,i,j} \right)}_{i,{j = 1},\ldots,5}:={\psi \cdot \left( X_{0}^{T} \right)^{- 1}}},{b_{0,i}^{*}:={\left( {\vartheta_{0,i,1},\ldots \mspace{11mu},\vartheta_{0,i,5}} \right)_{} = {\sum_{j = 1}^{5}{\vartheta_{0,i,j}a_{j}\mspace{14mu} {\quad{{{{for}\mspace{20mu} i} = 1},\ldots \mspace{11mu},5,\mspace{20mu} {_{0}^{*}:=\left( {b_{0,1}^{*},\ldots \mspace{11mu},b_{0,5}^{*}} \right)},\mspace{20mu} {{{for}\mspace{14mu} t} = 1},\ldots \mspace{11mu},{{d\mspace{20mu}\left( \vartheta_{t,i,j} \right)}_{i,{j = 1},\ldots,N_{1,t}}:={\psi \cdot \left( X_{1,t}^{T} \right)^{- 1}}},{b_{1,i,t}^{*}:={\left( {\vartheta_{1,i,1,t},\ldots \mspace{11mu},\vartheta_{1,i,N_{1,t},t}} \right)_{} = {\sum_{j = 1}^{N_{1,t}}{\vartheta_{1,i,j,t}a_{j}}}}}}\mspace{14mu}\quad}{\quad{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},N_{1,t},\mspace{20mu} {_{1,i,t}^{*}:=\left( {b_{1,1,t}^{*},\ldots \mspace{11mu},b_{1,N_{1,t},t}^{*}} \right)},\mspace{79mu} {{return}\mspace{14mu} {\left( {{param}_{n},_{0},_{0}^{*},\mspace{76mu} \left\{ {B_{i,j,t},B_{i,j,L,t}^{\prime}} \right\}_{i,{j = 1},...,{6;\; {L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d}, _{1,t}^{*}} \right).}}}}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 181} \right\rbrack \\{\mspace{79mu} {{{{Setup}\left( {1^{\lambda},n_{t}} \right)}\text{:}}{{\left( {{param}_{n},_{0},_{0}^{*},\left\{ {B_{i,j,t},B_{i,j,L,t}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d},_{1,t}^{*}} \right)\overset{R}{}{_{ob}^{{FE}{(1)}}\left( {1^{\lambda},6,n_{t}} \right)}},\mspace{20mu} {{\hat{}}_{0}:=\left( {b_{0,1},b_{0,3},b_{0,5}} \right)},\mspace{20mu} {{{for}\mspace{14mu} t} = 1},\ldots \mspace{11mu},d,\mspace{20mu} \begin{matrix}{{\hat{}}_{1,t}:=\left( {b_{1,1,t},\ldots \mspace{11mu},b_{1,n_{t},t},b_{1,{{5n_{t}} + 1},t},\ldots \mspace{11mu},b_{1,{6n_{t}},t}} \right)} \\{{= \left\{ {B_{i,j,t},B_{i,j,L,t}^{\prime}} \right\}_{{i = 1},{6;{j = 1}},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d}},}\end{matrix}}\mspace{20mu} {{{\hat{}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,4}^{*}} \right)},\mspace{20mu} {{{for}\mspace{14mu} t} = 1},\ldots \mspace{11mu},d,\mspace{20mu} {{\hat{}}_{1,t}^{*}:=\left( {b_{1,1,t}^{*},\ldots \mspace{11mu},b_{1,n_{t},t}^{*},b_{1,{{5n_{t}} + 1},t}^{*},\ldots \mspace{11mu},b_{1,{5n_{t}},t}^{*}} \right)},\mspace{20mu} {{pk}:=\left( {1^{\lambda},{param}_{n},{{\hat{}}_{0}\left\{ {\hat{}}_{1,t} \right\}_{{t = 1},\ldots,d}}} \right)},\mspace{20mu} {{sk}:=\left( {{\hat{}}_{0}\left\{ {\hat{}}_{1,t} \right\}_{{t = 1},\ldots,d}} \right)},\mspace{20mu} {{return}\mspace{14mu} {pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 182} \right\rbrack\end{matrix}$

With reference to FIG. 10, the process of the KeyGen algorithm will bedescribed.

The process of (S201) through (S202) is the same as that in Embodiment1.

(S203: s Vector Generation Step)

With the processing device, the s vector generation part 142 generates avector {right arrow over (s)}^(T):=(s₁, . . . ,s_(L))^(T), as indicatedin Formula 183.

{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 183]

With the processing device, the s vector generation part 142 alsogenerates a value s₀, as indicated in Formula 184.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 184]

(S204: Random Number Generation Step)

With the processing device, the random number generation part 143generates random numbers, as indicated in Formula 185.

$\begin{matrix}{{{\eta_{0}\overset{U}{}_{q}},{{{{\overset{->}{\eta}}_{i}\overset{U}{}_{q}^{2n_{t}}}\mspace{31mu} {for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{{{\theta_{i}\overset{U}{}_{q}}\mspace{31mu} {for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L}\mspace{25mu}} & \left\lbrack {{Formula}\mspace{14mu} 185} \right\rbrack\end{matrix}$

(S205: Key Element Generation Step)

With the processing device, the key element generation part 144generates an element k*₀ of a decryption key sk_(S), similarly as inEmbodiment 1.

With the processing device, the key element generation part 144 alsogenerates an element k*_(i) of the decryption key sk_(S) for eachinteger i=1, . . . , L and an index t included in a set I_(vi→), asindicated in Formula 186.

$\begin{matrix}{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,v_{i}} \right)},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots \mspace{11mu},v_{i},1} \right)},{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{}}{{{s_{i}{\overset{->}{e}}_{1,t}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\overset{\overset{2n_{t}}{}}{0^{2n_{t}},}\overset{\overset{2n_{t}}{}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n_{t}}{}}{0^{n_{t}}}} \right)_{_{1,t}^{*}}},{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,v_{i}} \right)}},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots \mspace{11mu},v_{i},1} \right)},{k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{}}{{s_{i}{\overset{->}{v}}_{i}},}\overset{\overset{2n_{t}}{}}{0^{2n_{t}},}\overset{\overset{2n_{t}}{}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n_{t}}{}}{0^{n_{t}}}} \right)_{_{1,t}^{*}}}} & \left\lbrack {{Formula}\mspace{14mu} 186} \right\rbrack\end{matrix}$

The process of(S206) is the same as that in Embodiment 1.

In brief, in (S201) through (S205), the key generation device 100generates the decryption key sk_(S) by executing the KeyGen algorithmindicated in Formula 187. In (S206), the key generation device 100transmits the generated decryption key sk_(S) to the decryption device300.

$\begin{matrix}{\mspace{79mu} {{{{{KeyGen}\left( {{pk},{sk},{ = \left( {M,\rho} \right)}} \right)}\text{:}}\mspace{20mu} {{\overset{->}{f}\overset{U}{}_{q}^{r}},\mspace{20mu} {{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots \mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},\mspace{20mu} {\eta_{0}\overset{U}{}_{q}},\mspace{20mu} {k_{0}^{*}:=\left( {{- s_{0}},0,1,\eta_{0},0} \right)_{_{0}^{*}}},\mspace{20mu} {{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{t = 1},\ldots \mspace{11mu},d,\mspace{79mu} {{{if}\mspace{14mu} {\rho (i)}} = \left( {t,v_{i}} \right)},\mspace{59mu} {{\overset{\mspace{25mu}->}{\mspace{20mu} v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots \mspace{11mu},v_{i},1} \right)},{\theta_{i}\overset{U}{}_{q}},{{\overset{->}{\eta}}_{i}\overset{U}{}_{q}^{2n_{t}}},\mspace{20mu} {k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{}}{{{s_{i}{\overset{->}{e}}_{1,t}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\overset{\overset{2n_{t}}{}}{0^{2n_{t}},}\overset{\overset{2n_{t}}{}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n_{t}}{}}{0^{n_{t}}}} \right)_{_{1,t}^{*}}},{{{if}\mspace{14mu} \rho (i)} = {\left( {t,v_{i}} \right)}},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots \mspace{11mu},v_{i},1} \right)},{{\overset{->}{\eta}}_{i}\overset{U}{}_{q}^{2n_{t}}},\mspace{20mu} {k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{}}{{s_{i}{\overset{->}{v}}_{i}},}\overset{\overset{2n_{t}}{}}{0^{2n_{t}},}\overset{\overset{2n_{t}}{}}{{\overset{->}{\eta}}_{i},}\overset{\overset{n_{t}}{}}{0^{n_{t}}}} \right)_{_{1,t}^{*}}}}}\mspace{20mu} {{sk}_{}:=\left( {,k_{0}^{*},\left\{ k_{i}^{*} \right)_{{i = 1},\ldots \mspace{11mu},L}} \right)}\mspace{20mu} {{return}\mspace{14mu} {{sk}_{}.}}}\mspace{14mu}} & \left\lbrack {{Formula}\mspace{14mu} 187} \right\rbrack\end{matrix}$

With reference to FIG. 11, the process of the Enc algorithm will bedescribed.

The process of (S301) is the same as that in Embodiment 1.

(S302: Information Input Step)

With the input device, the information input part 220 takes as input amessage m to be transmitted to the decryption device 300. With the inputdevice, the information input part 220 also takes as input an attributeset Γ_(t):={x_(1,t), . . . ,x_(nt,t), n_(t)′≦n_(t)−1, t=1, . . . , d}.

(S303: Random Number Generation Step)

With the processing device, the random number generation part 231generates random numbers, as indicated in Formula 188.

$\begin{matrix}{\omega,\phi_{0},{\zeta \overset{U}{}_{q}},{{{\phi_{1,t}\overset{U}{}_{q}}\mspace{31mu} t} = 1},\ldots \mspace{11mu},d} & \left\lbrack {{Formula}\mspace{14mu} 188} \right\rbrack\end{matrix}$

(S304: Cipher Element Generation Step)

With the processing device, the cipher element generation part 232generates an element c₀ and an element c₃ of a ciphertext ct_(Γ),similarly as in Embodiment 1.

With the processing device, the cipher element generation part 232 alsogenerates elements C_(1,j,t) and C_(2,j,t) of the ciphertext ct_(Γ), asindicated in Formula 189.

for j=1, . . . ,6; t=1, . . . , d

C _(1,j,t) :=ωB _(1,j,t)+η_(1,t) B _(6,j,t),

C _(2,j,t):=Σ_(L=1) ^(n) ^(t) y _(L,t)(ωB _(1,j,L,t)′+φ₁ B_(6,j,L,t)′)  [Formula 189]

where

{right arrow over (y)} _(t):=(y _(1,t) , . . . , y _(n) _(t) _(,t)) suchthat Σ_(j=0) ^(n) ^(t) ⁻¹ y _(n) _(t) _(-j,t) z _(j) =z ^(n) ^(t)^(-1-jn) ^(t) ′·Π_(j=1) ^(n) ^(t) ′(z−x _(j,t))

The process of (S305) is the same as that in Embodiment 1.

In brief, in (S301) through (S304), the encryption device 200 generatesthe ciphertext ct_(F) by executing the Enc algorithm indicated inFormula 190. In (S305), the encryption device 200 transmits thegenerated ciphertext ct_(Γ) to the decryption device 300.

$\begin{matrix}{{{{Enc}\left( {{pk}, m, {\Gamma_{t} =}}\quad \right.}\left. \quad\left\{ {x_{1,t},\ldots \mspace{11mu},{{x_{n_{t}^{\prime},\; t,}n_{t}^{\prime}} \leq {n_{t} - 1}},{t = 1},\ldots \mspace{11mu},d} \right\} \right)\text{:}}\mspace{20mu} {\omega,\phi_{0},{\zeta \overset{U}{}_{q}},{{{\phi_{1,t}\overset{U}{}_{q}}\mspace{20mu} t} = 1},\ldots,,d,{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots \mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}},\mspace{20mu} {c_{0}:=\left( {\omega,0,\zeta,0,\phi_{0}} \right)_{_{0}}},\mspace{20mu} {{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},{6;{t = 1}},\ldots \mspace{11mu},d}\mspace{20mu} {{C_{1,j,t}:={{\omega \; B_{1,j,t}} + {\eta_{1,t}B_{6,j,t}}}},\mspace{20mu} {C_{2,j,t}:={\sum_{L = 1}^{n_{t}}{y_{L,t}\left( {{\omega \; B_{1,j,L,t}^{\prime}} + {\phi_{1}B_{6,j,L,t}^{\prime}}} \right)}}},\mspace{20mu} {c_{3}:={g_{T}^{\zeta}m}},\mspace{20mu} {{ct}_{\Gamma}:=\left( {\Gamma_{t},c_{0},\left\{ {C_{1,j,t},C_{2,j,t}} \right\}_{{j = 1},\; \ldots \;,{6;{t = 1}},\; \ldots \;,d},c_{3}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{ct}_{\Gamma}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 190} \right\rbrack\end{matrix}$

With reference to FIG. 12, the process of the Dec algorithm will bedescribed.

The process of (S401) through (S404) is the same as that in Embodiment1.

(S405: Decryption Element Generation Step)

With the processing device, the decryption part 350 generates decryptionelements D*_(1,t), . . . ,D*_(6n,t), and E*_(j,t), as indicated inFormula 191.

$\begin{matrix}{{{{\left( {D_{1,t}^{*},\ldots \mspace{11mu},D_{{6n_{t}},t}^{*}} \right):={{\sum\limits_{{{i \in I_{t}}{\rho {(i)}}} = {({t,v_{i}})}}{\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{{i \in I_{t}}{\rho {(i)}}} = {{({t,v_{i}})}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot {\overset{->}{y}}_{t}}k_{i}^{*}}}}},\mspace{79mu} {E_{j,t}^{*}:={\sum_{L = 1}^{n_{t} - 1}{y_{{L - 1},t}D_{{{{({j - 1})}n_{t}} + L},t}^{*}}}}}\; \mspace{79mu} {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},{6;{t = 1}},\ldots \mspace{11mu},d}}\mspace{40mu}} & \left\lbrack {{Formula}\mspace{14mu} 191} \right\rbrack\end{matrix}$

(S406: Pairing Operation Step)

With the processing device, the decryption part 350 computes Formula192, and thereby generates a session key K=g_(T) ^(ζ).

K:=e(c ₀ ,k ₀*)·Π_(t=1) ^(d)Π_(j=1) ⁶(e(C _(1,j,t) ,E _(j,t)*)·e(C_(2,j,t) ,D _(jn) _(t) _(,t)*))  [Formula 192]

The process of (S407) is the same as that in Embodiment 1.

In brief, in (S401) through (S407), the decryption device 300 generatesthe message m′(=m) by executing the Dec algorithm indicated in Formula193.

$\begin{matrix}{{{\left. {{{\mspace{79mu} {{{{{{Dec}\left( {{pk},{{sk}_{}:=\left( {,k_{0}^{*},k_{1}^{*},\ldots \mspace{11mu},k_{L}^{*}} \right)},{{ct}_{\Gamma}:=\left( {\Gamma_{t},c_{0},\left\{ {C_{1,j,t},C_{2,j,t}} \right\}_{{j = 1},\ldots \mspace{11mu},{6;{t = 1}},\ldots \mspace{11mu},d},c_{3}} \right)}} \right)}\text{:}}{{{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma},{{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}},\mspace{20mu} {\overset{->}{1} = {\sum\limits_{i \in I}{\alpha_{i}M_{i}}}}}\mspace{20mu} {where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{and}}\; {{I \subseteq \left\{ {i \in \left\{ {1,\ldots \mspace{11mu},L} \right\}} \middle| {{\left\lbrack {{\rho (i)} =}\quad \right.\left( {t,v_{i}} \right)}{v_{i} \in \Gamma_{t}}} \right\rbrack}{\quad\quad}}}\quad}\quad}\left\lbrack {{\rho (i)} = {{\left( {t,v_{i}} \right)}{v_{i} \notin \Gamma_{t}}}} \right\rbrack} \right\},\mspace{85mu} {I_{t} \subseteq \left\{ {\left. {i \in I} \middle| {\rho (i)} \right. = {{\left( {t,v_{i}} \right){\rho (i)}} = {\left( {t,v_{i}} \right)}}} \right\}},{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots \mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}},{\left( {D_{1,t}^{*},\ldots \mspace{11mu},D_{{6n_{t}},t}^{*}} \right):={{\sum\limits_{{{i \in I_{t}}{\rho {(i)}}} = {({t,v_{i}})}}{\alpha_{i}k_{i}^{*}}} + {\sum\limits_{{{i \in I_{t}}{\rho {(i)}}} = {{({t,v_{i}})}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot {\overset{->}{y}}_{t}}k_{i}^{*}}}}},\mspace{20mu} {E_{j,t}^{*}:={\sum_{L = 1}^{n_{t} - 1}{y_{{L - 1},t}D_{{{{({j - 1})}n_{t}} + L},t}^{*}}}}}\mspace{20mu} \mspace{20mu} {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},{6;{t = 1}},\ldots \mspace{11mu},d,{K:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod_{t = 1}^{d}{\prod_{j = 1}^{6}\left( {{e\left( {C_{1,j,t},E_{j,t}^{*}} \right)} \cdot \; {e\left( {C_{2,j,t},D_{{jn}_{t},t}^{*}} \right)}} \right)}}}},\mspace{20mu} {{{return}\mspace{14mu} m^{\prime}}:=\; {c_{3}/{K.}}}}}\mspace{14mu}} & \left\lbrack {{Formula}\mspace{14mu} 193} \right\rbrack\end{matrix}$

The KP-FE scheme to which the KP-ABE scheme described in Embodiment 1 isapplied has been described herein. A CP-FE scheme to which the CP-ABEscheme described in Embodiment 2 is applied can also be constructed in asimilar manner. Each algorithm of the CP-FE scheme to which the CP-ABEscheme described in Embodiment 2 is applied is as indicated in Formula194 through Formula 198.

$\begin{matrix}{{{{{_{ob}^{{FE}{(2)}}\left( {1^{\lambda},6,n_{t}} \right)}\text{:}}{{\left( {{param}_{n},_{0},_{0}^{*},\left\{ {D_{i,j,t},D_{i,j,L,t}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d},_{1,t}^{*}} \right)\overset{R}{}{_{ob}^{(1)}\left( {1^{\lambda},6,n_{t}} \right)}},\mspace{79mu} {_{0}:=_{0}^{*}},{_{0}^{*}:=_{0}},{_{1,t}:=_{1,t}^{*}},\mspace{79mu} {B_{i,j,t}^{*}:={{D_{i,j,t,}\mspace{11mu} B_{i,j,L,t}^{\prime*}} = D_{i,j,L,t}^{\prime}}}}}\mspace{79mu}\quad}{\quad{{{for}\mspace{14mu} i},{j = 1},{{\ldots \mspace{14mu} 6};{L = 1}},\ldots \mspace{11mu},n_{t},\mspace{79mu} {{return}\mspace{20mu} {\left( {{param}_{n},_{0},_{0}^{*},\mspace{79mu} \left\{ {_{1,t},\left\{ {B_{i,j,t}^{*},B_{i,j,L,t}^{\prime*}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n_{t}}} \right\}_{{t = 1},\ldots,d}} \right).}}}}} & \left\lbrack {{Formula}\mspace{14mu} 194} \right\rbrack \\{\mspace{79mu} {{{{{Setup}\left( {1^{\lambda},n} \right)}\text{:}}{\left( {{param}_{n},_{0},_{0}^{*},\left\{ {B_{1,t},\left\{ {B_{i,j,t}^{\prime},B_{i,j,L,t}^{\prime*}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n_{t}}} \right\}_{{t = 1},\ldots,d}} \right)\overset{R}{}{_{ob}^{(2)}\left( {1^{\lambda},6,n_{t}} \right)}}},\mspace{20mu} {{\hat{}}_{0}:=\left( {b_{0,1},b_{0,3},b_{0,4}} \right)},{{\hat{}}_{1,t}:=\left( {b_{1,1,t},\ldots \mspace{11mu},b_{1,n_{t},t},b_{1,{{3n_{t}} + 1},t},\ldots \mspace{11mu},b_{1,{5n_{t}},t}} \right)},\mspace{20mu} {{\hat{}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,5}^{*}} \right)},{{\begin{matrix}{{\hat{}}_{1,t}^{*}:=\left( {b_{1,1,t}^{*},\ldots \mspace{11mu},b_{1,n_{t},t}^{*},b_{1,{{5n_{t}} + 1},t}^{*},\ldots \mspace{11mu},b_{1,{6n_{t}},t}^{*}} \right)} \\{{= \left\{ {B_{i,j,t}^{\prime},B_{i,j,L,t}^{\prime*}} \right\}_{{i = 1},{6;{j = 1}},\ldots,{6;{L = 1}},\ldots,{n_{t};{t = 1}},\ldots,d}},}\end{matrix}\mspace{20mu} {pk}}:=\left( {1^{\lambda},{param}_{n},{{\hat{}}_{0}\left\{ {\hat{}}_{1,t} \right\}_{{t = 1},\ldots,d}}} \right)},\mspace{20mu} {{sk}:=\left( {{\hat{}}_{0}\left\{ {\hat{}}_{1,t} \right\}_{{t = 1},\ldots,d}} \right)},\mspace{20mu} {{return}\mspace{14mu} {pk}},{{sk}.}}} & \left\lbrack {{Formula}\mspace{14mu} 195} \right\rbrack \\{{\left. \mspace{79mu} {{KeyGen}\left( {{pk},{sk},\; {\Gamma_{t} = x_{1,t}},\ldots \mspace{11mu},x_{n_{t}^{\prime},t},\text{}\mspace{79mu} {n_{t}^{\prime} \leq {n_{t} - 1}},{t = 1},\ldots \mspace{11mu},d} \right\}} \right)\text{:}}\mspace{20mu} {\omega,{\phi_{0}\overset{U}{}_{q}},{{{\phi_{1,t}\overset{U}{}_{q}}\mspace{25mu} t} = 1},\ldots \mspace{11mu},d,{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots \mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}},\mspace{20mu} {k_{0}^{*}:=\left( {\omega,0,1,0,\phi_{0}} \right)_{_{0}^{*}}},\mspace{20mu} {{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},6,\mspace{14mu} {t = 1},\ldots \mspace{11mu},d,\mspace{20mu} {K_{1,j,t}:={{\omega \; B_{1,j,t}} + {\phi_{1,t}B_{6,j,t}}}},\mspace{20mu} {K_{2,j,t}:={\sum_{L = 1}^{n_{t}}{y_{L,t}\left( {{\omega \; B_{1,j,L,t}^{\prime}} + {\phi_{1,t}B_{6,j,L,t}^{\prime}}} \right)}}},\mspace{79mu} {{sk}_{\Gamma}:=\left( {\Gamma_{t},k_{0}^{*},\left\{ {K_{1,j,t},K_{2,j,t}} \right\}_{{j = 1},\ldots,{6;{t = 1}},\ldots,d}} \right)},\mspace{79mu} {{return}\mspace{14mu} {{sk}_{\Gamma}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 196} \right\rbrack \\{\mspace{85mu} {{{{Enc}\left( {{pk},m,{ = \left( {M,\rho} \right)}} \right)}\text{:}}\mspace{20mu} {{\overset{->}{f}\overset{U}{}_{q}^{r}},\mspace{20mu} {{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots \mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},\mspace{20mu} \eta_{0},{\zeta \overset{U}{}_{q}},\mspace{20mu} {c_{0}:=\left( {{- s_{0}},0,\zeta,\eta_{0},0} \right)_{_{0}}},\mspace{20mu} {{{for}\mspace{14mu} i} =}}{1,\ldots \mspace{11mu},L,\mspace{79mu} {{{if}\mspace{14mu} {\rho (i)}} = \left( {t,v_{i}} \right)},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots \mspace{11mu},v_{i},1} \right)},\mspace{79mu} {\theta_{i}\overset{U}{}_{q}},{{\overset{->}{\eta}}_{i}\overset{U}{}_{q}^{2n_{t}}},\mspace{20mu} {c_{i}:=\left( \; {\overset{\overset{n_{t}}{}}{{{s_{i}{\overset{->}{e}}_{1,t}} + {\theta_{i}{\overset{->}{v}}_{i}}},}\mspace{14mu} \overset{\overset{2n_{t}}{}}{0^{2n_{t}},}\mspace{14mu} \overset{\overset{2n_{t}}{}}{{\overset{->}{\eta}}_{i},}\mspace{14mu} \overset{\overset{n_{t}}{}}{0^{n_{t}}}}\; \right)_{_{1,t}}},{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,v_{i}} \right)}},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n_{t} - 1},\ldots \mspace{11mu},v_{i},1} \right)},{{\overset{->}{\eta}}_{i}\overset{U}{}_{q}^{2n_{t}}},\mspace{20mu} {c_{i}:=\left( \; {\overset{\overset{n_{t}}{}}{{s_{i}{\overset{->}{v}}_{i}},}\mspace{14mu} \overset{\overset{2n_{t}}{}}{0^{2n_{t}},}\mspace{14mu} \overset{\overset{2n_{t}}{}}{{\overset{->}{\eta}}_{i},}\mspace{14mu} \overset{\overset{n_{t}}{}}{0^{n_{t}}}}\; \right)_{_{1,t}}},\mspace{20mu} {c_{3}:={g_{T}^{\zeta}m}},\mspace{20mu} {{ct}_{}:=\left( {,c_{0},\left\{ c_{i} \right\}_{{i = 1},\ldots,L},c_{3}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{ct}_{}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 197} \right\rbrack \\{{\left. {{{{{{{Dec}\left( {{pk},{{sk}_{\Gamma}:=\mspace{79mu} \left( {\Gamma_{t},k_{0}^{*},\left\{ {K_{1,j,t},K_{2,j,t}} \right\}_{{j = 1},\ldots,{6;{t = 1}},\ldots,d}} \right)},\mspace{20mu} {{ct}_{}:=\left( {,c_{0},\left\{ c_{i} \right\}_{{i = 1},\ldots \mspace{11mu},L},c_{3}} \right)}} \right)}\text{:}}{{{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma},{{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}},\mspace{20mu} {\overset{->}{1} = {\sum\limits_{i \in I}{\alpha_{i}M_{i}\mspace{20mu} {where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M}}},{and}}{{I \subseteq \left\{ {i \in \left\{ {1,\ldots \mspace{11mu},L} \right\}} \middle| {{\left\lbrack {{\rho (i)} =}\quad \right.\left( {t,v_{i}} \right)}{v_{i} \in \Gamma_{t}}} \right\rbrack}}}\quad}\quad}\left\lbrack {{\rho (i)} = {{\left( {t,v_{i}} \right)}{v_{i} \notin \Gamma_{t}}}} \right\rbrack} \right\},\mspace{85mu} {I_{t} \subseteq \left\{ {\left. {i \in I} \middle| {\rho (i)} \right. = {{\left( {t,v_{i}} \right){\rho (i)}} = {\left( {t,v_{i}} \right)}}} \right\}},{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots \mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}},{\left( {D_{1,t}^{*},\ldots \mspace{11mu},D_{{6n_{t}},t}^{*}} \right):={{\sum\limits_{{{i \in I_{t}}{\rho {(i)}}} = {({t,v_{i}})}}{\alpha_{i}c_{i}}} + {\sum\limits_{{{i \in I_{t}}{\rho {(i)}}} = {{({t,v_{i}})}}}{\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot {\overset{->}{y}}_{t}}c_{i}}}}},\mspace{79mu} {E_{j,t}^{*}:={\sum_{L = 1}^{n_{t} - 1}{y_{{L - 1},t}D_{{{{({j - 1})}n_{t}} + L},t}^{*}}}}}{\quad\mspace{79mu} {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},{6;{t = 1}},\ldots \mspace{11mu},d,{K:={{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod_{t = 1}^{d}{\prod_{j = 1}^{6}\left( {{e\left( {E_{j,t}^{*},K_{1,j,t}} \right)} \cdot \; {e\left( {D_{{jn}_{t},t}^{*},K_{2,j,t}} \right)}} \right)}}}},\mspace{20mu} {{{return}\mspace{14mu} m^{\prime}}:=\; {c_{3}/{K.}}}}\mspace{14mu}}} & \left\lbrack {{Formula}\mspace{14mu} 198} \right\rbrack\end{matrix}$

As described above, it is possible to construct the FE scheme byapplying the ABE scheme according to Embodiment 1 or 2.

Embodiment 4

In Embodiment 4, an attribute-based signature (ABS) scheme to which theCP-ABE scheme described in Embodiment 2 is applied will be described.

In Embodiment 4, description will be omitted for what is the same as inEmbodiment 2, and differences from Embodiment 1 will be described.

First, a basic structure of the signature scheme according to Embodiment4 will be described.

Second, a configuration of a cryptographic system 10 that implements thesignature scheme according to Embodiment 4 will be described.

Third, the signature scheme according to Embodiment 4 will be describedin detail.

<1. Basic Structure of Cryptographic Scheme>

The structure of the ABS scheme will be briefly described. The ABSscheme includes four algorithms: Setup, KeyGen, Sig, and Ver.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input asecurity parameter λ and an upper limit n for the number of attributesfor a ciphertext, and outputs a public parameter pk and a master key sk.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input thepublic parameter pk, the master key sk, and an attribute setΓ:={x_(j)}_(1≦j≦n′), and outputs a signature key sk_(Γ).

(Sig)

A Sig algorithm is a probabilistic algorithm that takes as input thepublic parameter pk, a message m, an access structure S:=(M, ρ), and thesignature key sk_(Γ), and outputs a signature σ.

(Ver)

A Ver algorithm is an algorithm that takes as input the public parameterpk, the message m, the access structure S:=(M, ρ), and the signature σ,and outputs a value “1” indicating that the verification of thesignature has succeeded, or a value “0” indicating that the verificationof the signature has failed.

<2. Configuration of Cryptographic System 10 that Implements ABS Scheme>

FIG. 18 is a configuration diagram of the cryptographic system 10 thatimplements the ABS scheme according to Embodiment 4.

The cryptographic system 10 includes a key generation device 100, asignature device 400 (an example of the transmission device), and averification device 500 (an example of the reception device).

The key generation device 100 executes the Setup algorithm taking asinput a security parameter λ and an upper limit n for the number ofattributes for a ciphertext, and thereby generates a public parameter pkand a master key sk. Then, the key generation device 100 publishes thegenerated public parameter pk. The key generation device 100 alsoexecutes the KeyGen algorithm taking as input an attribute set Γ, andthereby generates a signature key sk_(Γ), and transmits the signaturekey sk_(Γ) to the signature device 400 in secrecy.

The signature device 400 executes the Sig algorithm taking as input thepublic parameter pk, a message m, the access structure S, and thesignature key sk_(Γ), and thereby generates a signature σ. The signaturedevice 400 transmits the generated signature σ, the message m, and theaccess structure S to the verification device 500.

The verification device 500 executes the Ver algorithm taking as inputthe public parameter pk, the message m, the access structure S, and thesignature σ, and outputs a value “1” or a value “0”.

<3. Signature Scheme>

FIG. 19 is a configuration diagram of the key generation device 100according to Embodiment 4. FIG. 20 is a configuration diagram of thesignature device 400 according to Embodiment 4. FIG. 21 is aconfiguration diagram of the verification device 500 according toEmbodiment 4.

FIG. 22 and FIG. 23 are flowcharts illustrating the operation of the keygeneration device 100 according to Embodiment 4. FIG. 22 is a flowchartillustrating the process of the Setup algorithm according to Embodiment4, and FIG. 23 is a flowchart illustrating the process of the KeyGenalgorithm according to Embodiment 4. FIG. 24 is a flowchart illustratingthe operation of the signature device 400 according to Embodiment 4, andillustrating the process of the Sig algorithm according to Embodiment 4.FIG. 25 is a flowchart illustrating the operation of the verificationdevice 500 according to Embodiment 4, and illustrating the process ofthe Ver algorithm according to Embodiment 4.

In the following description, H:=(KH_(λ), H_(hk) ^(λ,D)) is acollision-resistant hash function (see Non-Patent Literature 30). Acollision-resistant hash function is a hash function for which it isdifficult to find two inputs that hash to the same output.

Specifically, the following two items apply to a collision-resistanthash function family H associated with the algorithm G_(bpg) and apolynomial poly(λ).

1. A family of key spaces is indexed by λ. Each such key space is aprobability space on bit strings denoted by KH_(λ). There exists aprobabilistic polynomial-time algorithm whose output distribution oninput 1^(λ) is equal to KH_(λ).

2. A family of hash functions is indexed by λ, hk randomly selected fromKH_(λ), and D:={0, 1}^(poly(λ)), where each such function H_(hk) ^(λ,D)maps an element of D to F_(q) ^(x) with q being the first element ofoutput param_(G) of algorithm G_(bpg)(1^(λ)). There exists adeterministic polynomial-time algorithm that outputs H_(hk) ^(λ,D)(d) oninput 1^(λ), hk, and d εD.

The function and operation of the key generation device 100 will bedescribed.

As illustrated in FIG. 19, the key generation device 100 includes amaster key generation part 110, a master key storage part 120, aninformation input part 130, a decryption key generation part 140, and akey transmission part 150. The master key generation part 110 includes aspace generation part 111, a matrix generation part 112, a basisgeneration part 113, and a key generation part 114. The decryption keygeneration part 140 includes a random number generation part 143 and akey element generation part 144.

With reference to FIG. 22, the process of the Setup algorithm will bedescribed.

(S701: Space Generation Step)

The space generation part 111 generates a parameter param_(G):=(q, G,G_(T), g, e), similarly as in (S101) of FIG. 9.

Further, the space generation part 111 sets N₀:=4, N₁:=6n, and N₂:=7.Then, with the processing device and for each integer t=0, 1, 2, thespace generation part 111 executes G_(dpvs) taking as input the securityparameter 1^(λ), N_(t), and the parameter param_(G) of symmetricbilinear pairing groups, and thereby generates a parameter paramv_(t):=(q, V_(t), G_(T), A, e) of dual pairing vector spaces.

(S702: Linear Transformation Generation Step)

With the processing device, the matrix generation part 112 generates alinear transformation X_(t) for each integer t=0, 2, as indicated inFormula 199.

$\begin{matrix}{{X_{t}:={{{\left( \chi_{t,i,j} \right)_{i,{j = 1},\ldots \;,N_{t}}\overset{U}{}{{GL}\left( {N_{t},_{q}} \right)}}\mspace{14mu} {for}\mspace{14mu} t} = 0}},2.} & \left\lbrack {{Formula}\mspace{14mu} 199} \right\rbrack\end{matrix}$

With the processing device, the matrix generation part 112 alsogenerates a linear transformation X₁, as indicated in Formula 200.

$\begin{matrix}{X_{1}\overset{U}{}{\left( {6,n,_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 200} \right\rbrack\end{matrix}$

In the following, {μ_(i,j),μ′_(i,j,L)}_(i,j=1, . . . ,6; L=1, . . . , n) denotes non-zero elementsin the linear transformation X₁.

(S703: Basis B Generation Step)

With the processing device, the basis generation part 113 generates abasis B*₀, a basis B*₂, a variable B*_(i,j), and a variable B′*_(i,j,L),as indicated in Formula 201.

for t=0, 2,

b _(t,i)=(χ_(t,i,1), . . . ,χ_(t,i,N) _(t)

=Σ_(j=1) ^(N) ^(t) χ_(t,i,j) a _(j) for i=1, . . . ,N _(t),

_(t):=(b _(t,1) , . . . ,b _(t,N) _(t) )  [Formula 201]

for i, j=1, . . . ,6; L=1, . . . , n,

B _(i,j)*:=μ_(i,j) g,B _(i,j,L)′*:=μ_(i,j,L) ′g

With the processing device, the basis generation part 113 also generatesa basis B₀, a basis B₁, and a basis B₂, as indicated in Formula 202.for t=0,1,2,

(θ_(t,i,j))_(i,j=1, . . . ,N) _(t) :=ψ·(X _(t) ^(T))⁻¹,

b _(t,i)*:=(θ_(t,i,1), . . . θ_(t,i,N) _(t)

=Σ_(j=1) ^(N) ^(t) θ_(t,i,j) a _(j) for i=1, . . . ,N _(t),

_(t)*:=(b _(t,1) *, . . . ,b _(t,N) _(t) )  [Formula 202]

(S704: Basis B̂ Generation Step)

With the processing device, the key generation part 114 generates abasis B̂₀, a basis B̂₁, a basis B̂₂, basis B̂*₀, a basis B̂*₁, and a basisB̂*₂, as indicated in Formula 203.

₀:=(b _(0,1) ,b _(0,4)),

₁:=(b _(1,1) , . . . ,b _(1,n) , b _(1,4n+1) , . . . ,b _(1,6n)),

₂:=(b _(2,1) ,b _(2,2) ,b _(2,7)),

₁*:=(b _(1,1) *, . . . ,b _(1,n) *,b _(1,3n+1) , . . . ,b _(1,4n)*)={B_(i,j) *,B _(i,j,L)*}_(i=1,4; j=1, . . . ,6; L=1, . . . , n),

₀*:=(b _(2,1) *,b _(2,2) *,b _(2,5) *,b _(2,6)*)  [Formula 203]

(S705: Hash Key Generation Step)

With the processing device, the master key generation part 110 computesFormula 204, and thereby randomly generates a hash key hk.

$\begin{matrix}{{hk}\overset{R}{}{KH}_{\lambda}} & \left\lbrack {{Formula}\mspace{14mu} 204} \right\rbrack\end{matrix}$

(S706: Master Key Generation Step)

With the processing device, the key generation part 114 generates apublic parameter pk:=(1^(λ), hk, param_(n), {B̂_(t)}_(t=0,1,2),{B̂*_(t)}_(t=1,2), b*_(0,3)) and a master secret key sk:=b*_(0,1). Then,the key generation part 114 stores the public parameter pk and themaster secret key sk in the master key storage part 120.

Note that param_(n):=({param_(Vt)}_(t=0,1,2) , g _(T) e(g, g)^(φ)).

In brief, in (S701) through (S706), the key generation device 100generates the public parameter pk and the master secret key sk byexecuting the Setup algorithm indicated in Formula 206, the Setupalgorithm using an algorithm G^(ABS) _(ob) indicated in Formula 205.

$\begin{matrix}{{\mspace{85mu} {{{_{ob}^{ABS}\left( {1^{\lambda},6,n} \right)}\text{:}}{{{param}_{}:={\left( {q,,_{T},g,e} \right)\overset{R}{}{_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu} {N_{0}:=4},{N_{1}:={6n}},{N_{2}:=7},{{param}_{_{t}}:={\left( {q,_{t},_{T},,e} \right):={{{_{dpvs}\left( {1^{\lambda},N_{t},{param}_{}} \right)}\mspace{14mu} {for}\mspace{14mu} t} = 0}}},1,2,\mspace{79mu} {\psi \overset{U}{}_{q}^{x}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},\mspace{79mu} {{param}_{n}:=\left( {\left\{ {param}_{_{1,t}} \right\}_{{t = 0},1,2},g_{T}} \right)},{X_{t}:={\left( \chi_{t,i,j} \right)_{i,{j = 1},\ldots,N_{t}}\overset{U}{}{{GL}\left( {N_{t,}_{q}} \right)}}},{{{for}\mspace{14mu} t} = 0},2}\mspace{20mu} {{{X_{1}\overset{U}{}{\mathcal{L}\left( {6,n,_{q}} \right)}}\mspace{14mu} {hereafter}},\mspace{79mu} \left\{ {\mu_{i,j},\mu_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n}}\mspace{79mu} {{{denotes}\mspace{14mu} {non}\text{-}{zero}\mspace{14mu} {entries}\mspace{14mu} {of}\mspace{14mu} X_{1}},\mspace{20mu} {{{for}\mspace{14mu} t} = 0},2,\mspace{79mu} {b_{t,i}:={\left( {\chi_{t,i,1,\ldots,}\chi_{t,i,N_{t}}} \right)_{} = {\sum_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{j}}}}}}}\mspace{79mu}\quad}{\quad{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},N_{t},\mspace{79mu} {_{t}:=\left( {b_{t,1},\ldots \mspace{11mu},b_{t,N_{t}}} \right)},}\quad}{\quad\mspace{76mu} {{{for}\mspace{14mu} i},{j = 1},\ldots \mspace{11mu},{6;{L = 1}},\ldots \mspace{11mu},n,\mspace{79mu} {B_{i,j}^{*}:={\mu_{i,j}g}},{B_{i,j,L}^{\prime}:={{\mu_{i,j,L}^{\prime}g\mspace{79mu} {for}\mspace{14mu} t} = 0}},1,{{2\mspace{79mu} \left( \vartheta_{t,i,j} \right)_{i,{j = 1},\ldots,N_{t}}}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}},{b_{t,i}^{*}:={\left( {\vartheta_{t,i,1},\ldots \mspace{11mu},\vartheta_{t,i,N_{t}}} \right)_{} = {\sum_{j = 1}^{N_{t}}{\vartheta_{t,i,j}a_{j}\mspace{14mu} {\quad{{{{for}\mspace{20mu} i} = 1},\ldots \mspace{11mu},N_{t},\mspace{20mu} {_{t}^{*}:={\left( {b_{t,1}^{*},\ldots \mspace{11mu},b_{t,N_{t}}^{*}} \right)\mspace{79mu} {return}\mspace{14mu} \left( {{param}_{n},_{0},_{0}^{*},\mspace{79mu} \left\{ {B_{i,j},B_{i,j,L}^{\prime}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n},{\left. \quad \mspace{85mu} {_{1}^{*}, _{2},_{2}^{*}} \right).}} \right.}}}}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 205} \right\rbrack \\{\mspace{85mu} {{{{Setup}\left( {1^{\lambda},n} \right)}\text{:}}\mspace{20mu} {{{hk}\overset{R}{}{KH}_{\lambda}},{\left( {{param}_{n},_{0},_{0}^{*},_{1},\left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{i,{j = 1},\ldots,{6;{L = 1}},\ldots,n}} \right)\overset{R}{}{_{ob}^{ABS}\left( {1^{\lambda},6,n} \right)}},\mspace{20mu} {{\hat{}}_{0}:=\left( {b_{0,1},b_{0,4}} \right)},{{\hat{}}_{1}:=\left( {b_{1,1},\ldots \mspace{11mu},b_{1,n},b_{1,{{4n} + 1}},\ldots \mspace{11mu},b_{1,{6n}}} \right)},\mspace{20mu} {{\hat{}}_{2}:=\left( {b_{2,1},b_{2,2},b_{2,7}} \right)},{{\hat{}}_{1}^{*}:={\left( {b_{1,1}^{*},\ldots \mspace{11mu},b_{1,n}^{*},b_{1,{{3n} + 1}}^{*},\ldots \mspace{11mu},b_{1,{4n}}^{*}} \right) = \left\{ {B_{i,j}^{*},B_{i,j,L}^{\prime*}} \right\}_{{i = 1},{4;{j = 1}},\ldots,{6;{L = 1}},\ldots,n}}},\mspace{20mu} {{\hat{}}_{0}^{*}:=\left( {b_{2,1}^{*},b_{2,2}^{*},b_{2,5}^{*},b_{2,6}^{*}} \right)},\mspace{79mu} {{pk}:=\left( {1^{\lambda},{hk},{param}_{n},\mspace{79mu} \left\{ {\hat{}}_{t} \right\}_{{t = 0},1,2},\left\{ {\hat{}}_{t}^{*} \right\}_{{t = 1},2},b_{0,3}^{*}} \right)},{{sk}:=b_{0,1}^{*}},\mspace{79mu} {{return}\mspace{14mu} {pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 206} \right\rbrack\end{matrix}$

With reference to FIG. 23, the process of the KeyGen algorithm will bedescribed.

The process of (S801) is the same as the process of (S501) in FIG. 16.However, attribute information of a user of a signature key sk_(Γ) isset in p of the access structure S, for example.

(S802: Random Number Generation Step)

With the processing device, the random number generation part 143generates random numbers, as indicated in Formula 207.

$\begin{matrix}{\omega,\phi_{0},\phi_{1},\phi_{2,1,1},{\phi_{2,1,2}\phi_{2,2,1}{\phi_{2,2,2}\overset{U}{}_{q}}}} & \left\lbrack {{Formula}\mspace{14mu} 207} \right\rbrack\end{matrix}$

(S803: Key Element Generation Step)

With the processing device, the key element generation part 144generates an element k*o of the signature key sk_(Γ), as indicated inFormula 208.

k ₀*:=(ω,0,φ₀,0

  [Formula 208]

With the processing device, the key element generation part 144generates elements L*_(1,j) and L*_(2,j) of the signature key sky, asindicated in Formula 209.

for j=1, . . . ,6

L _(1,j) :=ωB _(1,j)*+φ₁ B _(4,j)*,

L _(2,j):=Σ_(L=1) ^(n) y _(L)(ωB _(1,j,L)′*+φ₁ B _(4,j,L)′*)

where

{right arrow over (y)}:=(y ₁ , . . . , y _(n)) such that Σ_(j=0) ^(n-1)y _(n-j) z ^(j)=^(n-1-n)′·Π_(j=1) ^(n)′(z−x _(j))  [Formula 209]

With the processing device, the key element generation part 144 alsogenerates elements k*_(2,1) and k*_(2,2) of the signature key sky, asindicated in Formula 210.

k _(2,1)*:=(ω(1,0),0,0,φ_(2,1,1),φ_(2,1,2),0

,

k _(2,2)*:=(ω(0,1),0,0,φ_(2,2,1),φ_(2,2,2),0

  [Formula 210]

(S804: Key Transmission Step)

With the communication device and via the network, for example, the keytransmission part 150 transmits the signature key sk_(Γ) having, aselements, the attribute set Γ inputted in (S801) and k*₀, L*_(1,j),L*_(2,j), k*_(2,1), and k*_(2,2) generated in (S803) to the signaturedevice 400 in secrecy. As a matter of course, the signature key sk_(Γ)may be transmitted to the signature device 400 by another method.

In brief, in (S801) through (S803), the key generation device 100generates the decryption key sk_(Γ) by executing the KeyGen algorithmindicated in Formula 211. In (S804), the key generation device 100transmits the generated decryption key sk_(Γ) to the decryption device300.

$\begin{matrix}{\mspace{79mu} {{{{{KeyGen}\left( {{pk},{sk},{\Gamma = \left\{ {x_{1},\ldots \mspace{11mu},\left. x_{n^{\prime}} \middle| {x_{j} \in _{q}^{x}} \right.} \right\}}} \right)}\text{:}}\mspace{20mu} {\omega,\phi_{0},\phi_{1},\phi_{2,1,1},\phi_{2,1,2},\phi_{2,2,1},{\phi_{2,2,2}\overset{U}{}_{q}},{\overset{->}{y}:={{\left( {y_{1},\ldots \mspace{11mu},y_{n}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{11mu} {\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}},\mspace{20mu} {k_{0}^{*}:=\left( {\omega,0,\phi_{0},0} \right)_{_{0}^{*}}},\mspace{20mu} {L_{1,j}:={{\omega \; B_{1,j}^{*}} + {\phi_{1}B_{4,j}^{*}}}},\mspace{20mu} {L_{2,j}:={\sum_{L = 1}^{n}{y_{L}\left( {{\omega \; B_{1,j,L}^{\prime*}} + {\phi_{1}B_{4,j,L}^{\prime*}}} \right)}}}}}\mspace{20mu} {{{{for}\mspace{14mu} j} = 1},\ldots \mspace{11mu},6,\mspace{20mu} {k_{2,1}^{*}:=\left( {{\omega \left( {1,0} \right)},0,0,\phi_{2,1,1},\phi_{2,1,2},0} \right)_{_{2}^{*}}},\mspace{20mu} {k_{2,2}^{*}:=\left( {{\omega \left( {0,1} \right)},0,0,\phi_{2,2,1},\phi_{2,2,2},0} \right)_{_{2}^{*}}},\mspace{20mu} {{sk}_{\Gamma}:=\left( {\Gamma,k_{0}^{*},\left\{ {L_{1,j},L_{2,j}} \right\}_{{j = 1},\ldots \;,6},\left\{ k_{2,t}^{*} \right\}_{{t = 1},2}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{sk}_{\Gamma}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 211} \right\rbrack\end{matrix}$

Note that the element k*₁ is defined as indicated in Formula 212, basedon {L*_(1,j), L*_(2,j)}_(j=1, . . . ,6) and the vector {right arrow over(y)}.

$\begin{matrix}{{k_{1}^{*}:=\left( \; {\overset{\overset{n}{}}{{y_{1}L_{1,1}},\ldots \mspace{11mu},{y_{n - 1}L_{1,1}},L_{2,1},}\overset{\overset{n}{}}{{{y_{1}L_{1,2}},\ldots \mspace{11mu},{y_{n - 1}L_{1,2}},L_{2,2}}\;}} \right)},{\ldots {\quad{{\left( \; {\overset{\overset{n}{}}{{y_{1}L_{1,5}},\ldots \mspace{11mu},{y_{n - 1}L_{1,5}},L_{2,5},}\overset{\overset{n}{}}{ {{y_{1}L_{1,6}},\ldots \mspace{11mu},{y_{n - 1}L_{1,6}},L_{2,6}}\;}} \right)\; \mspace{20mu} {that}\mspace{14mu} {is}},\mspace{14mu} {k_{1}^{*} = \left( {\overset{\overset{n}{}}{{\omega \; \overset{->}{y}},}\overset{\overset{2n}{}}{0^{2n},}\overset{\overset{n}{}}{{\phi_{1}\overset{->}{y}},}\overset{\overset{2n}{}}{0^{2n}}} \right)_{_{1}^{*}}},}}}} & \left\lbrack {{Formula}\mspace{14mu} 212} \right\rbrack\end{matrix}$

The function and operation of the signature device 400 will bedescribed.

As illustrated in FIG. 20, the signature device 400 includes a signaturekey receiving part 410, an information input part 420, a complementarycoefficient computation part 430, a signature data generation part 440,and a data transmission part 450. The signature data generation part 440includes a random number generation part 441 and a signature elementgeneration part 442.

With reference to FIG. 24, the process of the Sig algorithm will bedescribed.

(S901: Signature Key Receiving Step)

With the communication device and via the network, for example, thesignature key receiving part 410 receives the signature key sk_(Γ)generated by the key generation device 100. The signature key receivingpart 410 also receives the public parameter pk generated by the keygeneration device 100.

(S902: Information Input Step)

With the input device, the information input part 420 takes as input anaccess structure S:=(M, ρ). With the input device, the information inputpart 420 also takes as input a message m to which a signature is to beappended.

(S903: Span Program Computation Step)

With the processing device, the complementary coefficient computationpart 430 determines whether or not the access structure S inputted in(S902) accepts the attribute set Γ included in the signature key sk_(Γ)received in (S901).

If the access structure S accepts the attribute set Γ (accept in S903),the complementary coefficient computation part 430 advances the processto (S904). If the access structure S rejects the attribute set Γ(rejects in S903), the complementary coefficient computation part 430ends the process.

(S904: Complementary Coefficient Computation Step)

With the processing device, the complementary coefficient computationpart 430 computes a vector {right arrow over (y)} such that Formula 213is satisfied, I such that Formula 214 is satisfied, and a constant(complementary coefficient) α_(i) for each integer i included in I.

{right arrow over (y)}:=(y ₁ , . . . , y _(n)) such that Σ_(j=0) ^(n-1)y _(n-j) z ^(j)=^(n-1-n)′·Π_(j=1) ^(n)′(z−x _(j))  [Formula 213]

$\begin{matrix}{\mspace{79mu} {{\overset{->}{1} = {\sum\limits_{i \in I}{\alpha_{i}M_{i}}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{and}}\mspace{14mu} {I \subseteq \left\{ {i \in \left\{ {1,\ldots \mspace{11mu},L} \right\}} \middle| {\left\lbrack {{\rho (i)} = {v_{i}{v_{i} \in \Gamma}}} \right\rbrack \left. \quad\left\lbrack {{\rho (i)} = {{v_{i}}{v_{i} \notin \Gamma}}} \right\rbrack \right\}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 214} \right\rbrack\end{matrix}$

(S905: Random Number Generation Step)

With the processing device, the random number generation part 441generates random numbers, as indicated in Formula 215.

$\begin{matrix}{{\xi \overset{U}{}_{q}^{x}},{\left( \beta_{i} \right)\overset{U}{}\left\{ {\left. \left( {\beta_{1},\ldots \mspace{11mu},\beta_{L}} \right) \middle| {\sum_{i = 1}^{L}{\beta_{i}M_{i}}} \right. = \overset{->}{0}} \right\}}} & \left\lbrack {{Formula}\mspace{14mu} 215} \right\rbrack\end{matrix}$

(S906: Signature Element Generation Step)

With the processing device, the signature element generation part 442generates an element s*₀ of a signature σ, as indicated in Formula 216.

s ₀ *:=ξk ₀ *+r ₀*  [Formula 216]

Note that r*₀ is as indicated in Formula 217.

$\begin{matrix}{{r_{0}^{*}\overset{U}{}{span}}{\langle b_{0,3}^{*}\rangle}} & \left\lbrack {{Formula}\mspace{14mu} 217} \right\rbrack\end{matrix}$

With the processing device, the signature element generation part 442also generates an element s*_(i) of the signature σ for each integeri=1, . . . , L, as indicated in Formula 218.

s _(i)*:=γ_(i) ·ξk ₁*+Σ_(t=1) ^(n) u _(i,l) ·b _(1,l) *+r _(i)*, fori=1, . . . ,L  [Formula 218]

Note that r*_(i) is as indicated in Formula 219.

$\begin{matrix}{{r_{i}^{*}\overset{U}{}{span}}{\langle{b_{1,{{3n} + 1}}^{*},\ldots \mspace{11mu},b_{1,{4n}}^{*}}\rangle}} & \left\lbrack {{Formula}\mspace{14mu} 219} \right\rbrack\end{matrix}$

Note also that γ_(i) and {right arrow over (u)}_(i′):=(u_(i,i′)(i′=1, .. . , n) are as indicated in Formula 220.

$\begin{matrix}{{\gamma_{i},{{\overset{->}{u}}_{i}:={\left( {u_{i,1},\ldots \mspace{11mu},u_{i,n}} \right)\mspace{14mu} {are}\mspace{14mu} {defined}\mspace{14mu} {as}}}}{{{{{if}\mspace{14mu} i} \in I}{\rho (i)}} = {\overset{->}{v}}_{i}},{\gamma_{i}:=\alpha_{i}},{{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0u_{i,1}} = \beta_{i}}} \right\}},{{{{{if}\mspace{14mu} i} \in I}{\rho (i)}} = {{\overset{->}{v}}_{i}}},{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}},{{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},{{{{{if}\mspace{14mu} i} \notin I}{\rho (i)}} = {\overset{->}{v}}_{i}},{\gamma_{i}:=0},{{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0{\overset{->}{u}}_{i,1}} = \beta_{i}}} \right\}},{{{{{if}\mspace{14mu} i} \notin I}{\rho (i)}} = {{\overset{->}{v}}_{i}}},{\gamma_{i}:=0},{{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}}} & \left\lbrack {{Formula}\mspace{14mu} 220} \right\rbrack\end{matrix}$

With the processing device, the signature element generation part 442also generates an element S*_(L+1) of the signature σ, as indicated inFormula 221.

s _(L+1)*:=ξ(k _(2,1) *+H _(hk) ^(λ,D)(m∥

)·k _(2,2)*)+r _(L+1)*  [Formula 221]

Note that r*_(L+1) is as indicated in Formula 222.

$\begin{matrix}{{r_{L + 1}^{*}\overset{U}{}{span}}{\langle{b_{2,5}^{*},b_{2,6}^{*}}\rangle}} & \left\lbrack {{Formula}\mspace{14mu} 222} \right\rbrack\end{matrix}$

(S907: Data Transmission Step)

With the communication device and via the network, for example, the datatransmission part 450 transmits the signature σ including the elements*₀, s*_(i), and s*_(L+1), the message m, and the access structureS:=(M, ρ) to the verification device 500. As a matter of course, thesignature σ may be transmitted to the verification device 500 by anothermethod.

In brief, in (S901) through (S906), the signature device 400 generatesthe signature σ by executing the Sig algorithm indicated in Formula 223.In (S907), the signature device 400 transmits the generated signature σto the verification device 500.

$\begin{matrix}{\mspace{79mu} {{{{{Sig}\left( {{pk},{sk}_{\Gamma},m,{:=\left( {M,\rho} \right)}} \right)}:\mspace{20mu} {{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma}},\mspace{20mu} {{then}\mspace{14mu} {compute}}}{\overset{->}{y}:={{\left( {y_{1},\ldots \mspace{11mu},y_{n}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n - 1}{y_{n - j}z^{j}}}} = {z^{n - 1 - n^{\prime}} \cdot {\prod_{j = 1}^{n^{\prime}}\left( {z - x_{j}} \right)}}}}\mspace{20mu} {I\mspace{14mu} {and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}}\mspace{20mu} {\overset{->}{1} = {\sum\limits_{i \in I}{\alpha_{i}M_{i}}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{20mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{and}}{I\mspace{14mu} \subseteq \left\{ {\left. {i \in \left\{ {1,\ldots \mspace{11mu},L} \right\}} \middle| {\left\lbrack {{\rho (i)} = {v_{i}{v_{i} \in \Gamma}}} \right\rbrack {\left. \quad\left\lbrack {{\rho (i)} = {{v_{i}}{v_{i} \notin \Gamma}}} \right\rbrack \right\} {\xi \overset{U}{}_{q}^{x}}}} \right.,\; {\left( \beta_{i} \right)\overset{U}{}\left\{ {\left. \left( {\beta_{1},\ldots \mspace{11mu},\beta_{L}} \right) \middle| {\sum_{i = 1}^{L}{\beta_{i}M_{i}}} \right. = \overset{->}{0}} \right\}},\mspace{20mu} {s_{0}^{*}:={{\xi \; k_{0}^{*}} + r_{0}^{*}}},\; {{where}\mspace{14mu} {r_{0}^{*}\overset{U}{}{span}}{\langle b_{0,3}^{*}\rangle}},} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 223\text{-}1} \right\rbrack \\{{{\left. {{{s_{i}^{*}:={{{\gamma_{i} \cdot \xi}\; k_{1}^{*}} + {\sum_{t = 1}^{n}{u_{i,t} \cdot b_{1,t}^{*}}} + r_{i}^{*}}},{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots \mspace{11mu},v_{i},1} \right)},\mspace{11mu} {{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,\mspace{20mu} {{where}\mspace{14mu} {r_{i}^{*}\overset{U}{}{span}}{\langle{b_{1,{{3n} + 1}}^{*},\ldots \mspace{11mu},b_{1,{4n}}^{*}}\rangle}},\mspace{20mu} \gamma_{i},{{\overset{->}{u}}_{i}:={\left( {u_{i,1},\ldots \mspace{11mu},u_{i,n}} \right)\mspace{14mu} {are}\mspace{14mu} {defined}\mspace{14mu} {as}}}}\mspace{20mu} {{{{{{if}\mspace{14mu} i} \in I}{\rho (i)}} = {\overset{->}{v}}_{i}},\mspace{20mu} {\gamma_{i}:=\alpha_{i}},\; {{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0u_{i,1}} = \beta_{i}}} \right\}},\mspace{20mu} {{{{{if}\mspace{14mu} i} \in I}{\rho (i)}} = {{\overset{->}{v}}_{i}}},\mspace{20mu} {\gamma_{i}:=\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}},\; {{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},\mspace{20mu} {{{{{if}\mspace{14mu} i} \notin I}{\rho (i)}} = {\overset{->}{v}}_{i}},\mspace{20mu} {\gamma_{i}:=0},\; {{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0{\overset{->}{u}}_{i,1}} = \beta_{i}}} \right\}},\mspace{20mu} {{{{{if}\mspace{14mu} i} \notin I}{\rho (i)}} = {{\overset{->}{v}}_{i}}},\mspace{20mu} {\gamma_{i}:=0},\; {{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}}}\mspace{20mu} {s_{L + 1}^{*}:={{\xi \left( {k_{2,1}^{*} + {{H_{hk}^{\lambda,D}\left( m \right.}}} \right)} \cdot k_{2,2}^{*}}}} \right) + r_{L + 1}^{*}}\mspace{20mu} {{{where}\mspace{14mu} {r_{L + 1}^{*}\overset{U}{}{span}}{\langle{b_{2,5}^{*},b_{2,6}^{*}}\rangle}},\mspace{20mu} {{{return}\mspace{14mu} \sigma}:={\left( {s_{0}^{*},\ldots \mspace{11mu},s_{L + 1}^{*}} \right).}}}}\mspace{14mu}} & \left\lbrack {{Formula}\mspace{14mu} 223\text{-}2} \right\rbrack\end{matrix}$

The function and operation of the verification device 500 will bedescribed.

As illustrated in FIG. 21, the verification device 500 includes a publicparameter receiving part 510, a data receiving part 520, a verificationdata generation part 530, and a verification part 540. The verificationdata generation part 530 includes an f vector generation part 531, an svector generation part 532, a random number generation part 533, and averification element generation part 534.

With reference to FIG. 25, the process of the Ver algorithm will bedescribed.

(S1001: Public Parameter Receiving Step)

With the communication device and via the network, for example, thepublic parameter receiving part 510 receives the public parameter pkgenerated by the key generation device 100.

(S1002: Signature Receiving Step)

With the communication device and via the network, for example, the datareceiving part 520 receives the signature c transmitted by the signaturedevice 400.

(S1003: f Vector Generation Step)

With the processing device, the f vector generation part 531 randomlygenerates a vector {right arrow over (f)}, as indicated in Formula 224.

$\begin{matrix}{\overset{->}{f}\overset{U}{}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 224} \right\rbrack\end{matrix}$

(S1004: s Vector Generation Step)

With the processing device, the s vector generation part 532 generates avector {right arrow over (s)}^(T):=(s₁, . . . ,s_(L))^(T), as indicatedin Formula 225.

{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 225]

With the processing device, the s vector generation part 532 alsogenerates a value so, as indicated in Formula 226.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 226]

(S1005: Random Number Generation Step)

With the processing device, the random number generation part 533generates random numbers, as indicated in Formula 227.

$\begin{matrix}{\eta_{0},\eta_{L + 1},\theta_{L + 1},{s_{L + 1}\overset{U}{}_{q}},{{{{\overset{->}{\eta}}_{i}\overset{U}{}_{q}^{2n}}\mspace{31mu} {for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{{{\theta_{i}\overset{U}{}_{q}}\mspace{31mu} {for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L} & \left\lbrack {{Formula}\mspace{14mu} 227} \right\rbrack\end{matrix}$

(S1006: Verification Element Generation Step)

With the processing device, the verification element generation part 534generates an element c₀ of a verification key, as indicated in Formula228.

c ₀:=(−s ₀ −s _(L+1),0,0,η₀

  [Formula 228]

With the processing device, the verification element generation part 534also generates an element c_(i) of the verification key for each integeri=1, . . . , L, as indicated in Formula 229.

$\begin{matrix}{{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots \mspace{11mu},v_{i},1} \right)},{{{if}\mspace{14mu} {\rho (i)}} = v_{i}}}{{c_{i}:=\begin{pmatrix}\overset{\overset{n}{}}{{{s_{i}\; {\overset{->}{e}}_{1}} + {\theta_{i}{\overset{->}{v}}_{t}}},} & \overset{\overset{2n}{}}{0^{2n},} & \overset{\overset{n}{}}{0^{n},} & \overset{\overset{2n}{}}{{\overset{->}{\eta}}_{i}}\end{pmatrix}_{_{1}}},{{{if}\mspace{14mu} {\rho (i)}} = {v_{i}}},{c_{i}:=\begin{pmatrix}\overset{\overset{n}{}}{{s_{i}\; {\overset{->}{v}}_{t}},} & \overset{\overset{2n}{}}{0^{2n},} & \overset{\overset{n}{}}{0^{n},} & \overset{\overset{2n}{}}{{\overset{->}{\eta}}_{i}}\end{pmatrix}_{_{1}}}}} & \left\lbrack {{Formula}\mspace{14mu} 229} \right\rbrack\end{matrix}$

With the processing device, the verification element generation part 534also generates an element c_(L+1) of the verification key, as indicatedin Formula 230.

c _(L+1):=(s _(L+1)−θ_(L+1) H _(hk) ^(λ,D)(m∥

),θ_(L+1),0,0,0,0,η_(L+1)

  [Formula 230]

(S1007: First Pairing Operation Step)

With the processing device, the verification part 540 computes a pairingoperation e (b_(0,1), s*₀).

If the result of computing the pairing operation e (b_(0,1), s*₀) is avalue 1, the verification part 540 outputs a value 0 indicating that theverification of the signature has failed, and ends the process. If theresult of computing the pairing operation e (b_(0,1), s*₀) is not avalue 1, the verification part 540 advances the process to S1008.

(S1008: Second Pairing Operation Step)

With the processing device, the verification part 540 computes a pairingoperation indicated in Formula 231.

Π_(i=0) ^(L+1) e(c _(i) ,s _(i)*)  [Formula 231]

If the result of computing the pairing operation indicated in Formula231 is a value 1, the verification part 540 outputs a value 1 indicatingthat the verification of the signature has succeeded. If the result isother than a value 1, the verification part 540 outputs a value 0indicating that the verification of the signature has failed.

In brief, in (S1001) through (S1008), the verification device 500verifies the signature σ by executing the Ver algorithm indicated inFormula 232.

$\begin{matrix}{\mspace{79mu} {{{Ver}\left( {{pk},m,{:=\left( {M,\rho} \right)},\sigma} \right)}{{\overset{->}{f}\overset{U}{}_{q}^{r}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots \mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},\mspace{20mu} \eta_{0},\eta_{L + 1},\theta_{L + 1},{s_{L + 1}\overset{U}{}_{q}},\mspace{20mu} {c_{0}:=\left( {{{- s_{0}} - s_{L + 1}},0,0,\eta_{0}} \right)_{_{0}}},\mspace{20mu} {{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{{\overset{->}{v}}_{i}:=\left( {v_{i}^{n - 1},\ldots \mspace{11mu},v_{i},1} \right)},\mspace{20mu} {{{if}\mspace{14mu} \rho (i)} = v_{i}},\mspace{20mu} {{{if}\mspace{14mu} s_{i}^{*}} \notin _{1}},{{return}\mspace{14mu} 0},\mspace{20mu} {{else}\mspace{14mu} {\theta_{i}\overset{U}{}_{q}}},{{\overset{->}{\eta}}_{i}\overset{U}{}_{q}^{2n}},\mspace{20mu} {c_{i}:=\begin{pmatrix}\overset{\overset{n}{}}{{{s_{i}\; {\overset{->}{e}}_{t,1}} + {\theta_{i}{\overset{->}{v}}_{t}}},} & \overset{\overset{2n}{}}{0^{2n},} & \overset{\overset{n}{}}{0^{n},} & \overset{\overset{2n}{}}{{\overset{->}{\eta}}_{i}}\end{pmatrix}_{_{1}}},\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = {v_{i}}},\mspace{20mu} {{{if}\mspace{14mu} s_{i}^{*}} \notin _{1}},{{return}\mspace{14mu} 0},\mspace{20mu} {{else}\mspace{14mu} {\theta_{i}\overset{U}{}_{q}}},{{\overset{->}{\eta}}_{i}\overset{U}{}_{q}^{2n}},\mspace{20mu} {c_{i}:=\begin{pmatrix}\overset{\overset{n}{}}{{s_{i}\; {\overset{->}{v}}_{t}},} & \overset{\overset{2n}{}}{0^{2n},} & \overset{\overset{n}{}}{0^{n},} & \overset{\overset{2n}{}}{{\overset{->}{\eta}}_{i}}\end{pmatrix}_{_{1}}}}{c_{L + 1}:=\left( {{s_{L + 1} - {\theta_{L + 1}{H_{hk}^{\lambda,D}\left( {{m\left.  \right)},\theta_{L + 1},0,0,0,0,\eta_{L + 1}} \right)}_{_{2}}}},\mspace{20mu} {{{return}\mspace{14mu} 0\mspace{14mu} {if}\mspace{14mu} {e\left( {b_{0,1},s_{0}^{*}} \right)}} = 1},\mspace{20mu} {{{return}\mspace{14mu} 1\mspace{14mu} {if}\mspace{14mu} {\prod_{i = 0}^{L + 1}{e\left( {c_{i},s_{i}^{*}} \right)}}} = 1},\mspace{20mu} {{return}\mspace{14mu} 0\mspace{14mu} {{otherwise}.}}} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 232} \right\rbrack\end{matrix}$

As described above, it is possible to construct the ABS scheme to whichthe CP-ABE scheme described in Embodiment 2 is applied.

Similarly as in the CP-ABE scheme described in Embodiment 2 in which thesize of the decryption key sk_(Γ) can be reduced, the size of thesignature key sk_(Γ) can be reduced in the ABS scheme described inEmbodiment 4.

The ABS scheme to which the CP-ABE scheme described in Embodiment 2 isapplied has been described herein. It is also possible to construct anABS scheme to which the CP-FE scheme described in Embodiment 3 isapplied by applying the concept of Embodiment 3 to the ABS schemedescribed in Embodiment 4.

Embodiment 5

In the above embodiments, the methods for implementing the cryptographicprocesses in dual vector spaces have been described. In Embodiment 5, amethod for implementing the cryptographic processes in dual modules willbe described.

That is, in the above embodiments, the cryptographic processes areimplemented in cyclic groups of prime order q. However, when a ring R isexpressed using a composite number M as indicated in Formula 233, thecryptographic processes described in the above embodiments can beadapted to a module having the ring R as a coefficient.

  [Formula 233]

where

: integer, andM: composite number.

By changing F_(q) to R in the algorithms described in the aboveembodiments, the cryptographic processes in dual additive groups can beimplemented.

In the above embodiments, the encoding part, the hidden part, the secretkey randomness part, and the ciphertext randomness part are n-, 2n-, 2n-and n-dimensional, respectively, and the basis B₁ and basis B*₁ are6n-dimensional. However, it is not limited to this, and the hidden part,the secret key randomness part, and the ciphertext randomness part maybe u-, w-, and z-dimensional not depending on n, respectively, and thebasis B₁ and basis B*₁ may be n+u+w+z-dimensional, where u, w, and z areintegers of 0 or greater.

In the above description, in the case of KP, an element of a ciphertextis generated using a first vector, and an element of a decryption key isgenerated using a second vector, in order to reduce the size of theciphertext. However, in the case of KP, an element of a decryption keymay be generated using a first vector, and an element of a ciphertextmay be generated using a second vector, in order to reduce the size ofthe decryption key.

Similarly, in the above description, in the case of CP, an element of adecryption key is generated using a first vector, and an element of aciphertext is generated using a second vector, in order to reduce thesize of the decryption key. However, in the case of CP, an element of aciphertext may be generated using a first vector, and an element of adecryption key may be generated using a second vector, in order toreduce the size of the ciphertext.

In the above embodiments, a single key generation device 100 generates adecryption key. However, a single decryption key may be generated by aplurality of key generation devices 100 by combining the algorithms ofthe above embodiments with a multi-authority scheme described inNon-Patent Literature 3.

From the view point of security proof, in the above embodiments, ρ(i)for each integer i=1, . . . , L may be limited to a positive tuple (t,{right arrow over (v)}) or negative tuple

(t, {right arrow over (v)}) for respectively different identificationinformation t.

In other words, when ρ(i)=(t, {right arrow over (v)}) or ρ(i)=

(t, {right arrow over (v)}), let a function ρ^(˜) be map of {1, . . . ,L}→{1, . . . , d} such that ρ^(˜)(i)=t. In this case, ρ^(˜) may belimited to injection. Note that ρ(i) is ρ(i) in the access structureS:=(M, ρ(i)) described above.

FIG. 26 is a diagram illustrating an example of a hardware configurationof each device (the key generation device 100, the encryption device200, the decryption device 300, the signature device 400, and theverification device 500) of the cryptographic system 10 presented inEmbodiments 1 to 5.

Each device of the cryptographic system 10 is a computer, and eachelement of each device of the cryptographic system 10 can be implementedby a program.

As the hardware configuration of each device of the cryptographic system10, an arithmetic device 901, an external storage device 902, a mainstorage device 903, a communication device 904, and an input/outputdevice 905 are connected to a bus.

The arithmetic device 901 is a CPU (Central Processing Unit) or the likethat executes programs. The external storage device 902 is, for example,a ROM (Read Only Memory), a flash memory, a hard disk device, or thelike. The main storage device 903 is, for example, a RAM (Random AccessMemory) or the like. The communication device 904 is, for example, acommunication board or the like. The input/output device 905 is, forexample, a mouse, a keyboard, a display device, or the like.

The programs are normally stored in the external storage device 902. Theprograms are loaded into the main storage device 903 to be sequentiallyread and executed by the arithmetic device 901.

The programs are those that implement the functions described as themaster key generation part 110, the master key storage part 120, theinformation input part 130, the decryption key generation part 140, thekey transmission part 150, the public parameter receiving part 210, theinformation input part 220, the encrypted data generation part 230, thedata transmission part 240, the decryption key receiving part 310, thedata receiving part 320, the span program computation part 330, thecomplementary coefficient computation part 340, the decryption part 350,the signature key receiving part 410, the information input part 420,the complementary coefficient computation part 430, the signature datageneration part 440, the data transmission part 450, the publicparameter receiving part 510, the data receiving part 520, theverification data generation part 530, and the verification part 540.

Further, an operating system (OS) is also stored in the external storagedevice 902. At least part of the OS is loaded into the main storagedevice 903, and the arithmetic device 901 executes the above-describedprograms while executing the OS.

Information, data, signal values, and variable values described as the“public parameter pk”, the “master secret key sk”, the “decryption keyssk_(Γ) and sk_(S)”, the “ciphertexts ct_(S) and Ct_(Γ)”, the “SignatureKey Sk_(Γ)”, the “Verification Key”, the “Access structure S”, the“attribute set Γ”, the “message m”, the “signature σ”, and so on in thedescription of Embodiments 1 to 5 are stored as files in the mainstorage device 903.

The configuration of FIG. 26 indicates an example of the hardwareconfiguration of each device of the cryptographic system 10. Thehardware configuration of each device of the cryptographic system 10 isnot limited to the configuration of FIG. 26, and may be a differentconfiguration.

REFERENCE SIGNS LIST

-   -   100: key generation device, 110: master key generation part,        111: space generation part, 112: matrix generation part, 113:        basis generation part, 114: key generation part, 120: master key        storage part, 130: information input part, 140: decryption key        generation part, 141: f vector generation part, 142: s vector        generation part, 143: random number generation part, 144: key        element generation part, 150: key transmission part, 200:        encryption device, 210: public parameter receiving part, 220:        information input part, 230: encrypted data generation part,        231: random number generation part, 232: cipher element        generation part, 233: f vector generation part, 234: s vector        generation part, 240: data transmission part, 300: decryption        device, 310: decryption key receiving part, 320: data receiving        part, 330: span program computation n part, 340: complementary        coefficient computation part, 350: decryption part, 400:        signature device, 410: signature key receiving part, 420:        information input part, 430: complementary coefficient        computation part, 440: signature data generation part, 441:        random number generation part, 442: signature element generation        part, 450: data transmission part, 500: verification device,        510: public parameter receiving part, 520: data receiving part,        530: verification data generation part, 531: f vector generation        part, 532: s vector generation part, 533: random number        generation part, 534: verification element generation part, and        540: verification part

1-9. (canceled)
 10. A cryptographic system to perform a cryptographicprocess using a basis B and a basis B*, the cryptographic systemcomprising: processing circuitry to: generate a transmission-side vectorbeing a vector in the basis B and being generated using one vector of afirst vector consisting of coefficients y_(j) (j=1, . . . , n) of apolynomial having attribute information x_(i) (i=1, . . . , n′, n′ beingan integer from 1 to n−1, n being an integer of 2 or greater) as rootsand a second vector consisting of v₁ ^(i) (i=0, . . . , n−1) being apower of predicate information v₁; and perform a pairing operation onthe transmission-side vector and a reception-side vector being a vectorin the basis B* and being generated using the other vector of the firstvector and the second vector.
 11. The cryptographic system according toclaim 10, wherein the basis B and the basis B* are bases which aregenerated by transforming a basis A by using a sparse matrix having atlease one value other than a constant value 0 in each row and eachcolumn.
 12. The cryptographic system according to claim 10, wherein thefirst vector is a vector indicated in Formula 1, and the second vectoris a vector indicated in Formula 2{right arrow over (y)}:=(y ₁ , . . . , y _(n)) such that Σ_(j=0) ^(n-1)y _(n-j) z _(j) =z ^(n-1-n′)·Π_(j=1) ^(n′)(z−x _(j))  [Formula 1]{right arrow over (v)} ₁:=(v ₁ ^(n-1) , . . . , v ₁,1).  [Formula 2] 13.The cryptographic system according to claim 12, wherein the processingcircuitry generates a ciphertext ct_(Γ) including a transmission-sidevector c₁ indicated in Formula 3, and decrypts the ciphertext ct_(Γ) byusing a decryption key sk_(S) including a reception-side vector k*_(i)indicated in Formula 4 $\begin{matrix}{{c_{1} = \begin{pmatrix}\overset{\overset{n}{}}{{\omega \; \overset{->}{y}},} & \ldots\end{pmatrix}_{_{1}}}{where}{\omega \overset{U}{}_{q}}} & \left\lbrack {{Formula}\mspace{14mu} 3} \right\rbrack \\{{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{{{if}\mspace{14mu} {\rho (i)}} = v_{i}},{k_{i}^{*}:=\begin{pmatrix}\overset{\overset{n}{}}{{{s_{i}\; {\overset{->}{e}}_{1}} + {\theta_{i}{\overset{->}{v}}_{i}}},} & \ldots\end{pmatrix}_{_{1}^{*}}},{{{if}\mspace{14mu} {\rho (i)}} = {v_{i}}},{k_{i}^{*}:=\begin{pmatrix}\overset{\overset{n_{t}}{}}{{s_{i}\; {\overset{->}{v}}_{i}},} & \ldots\end{pmatrix}_{_{1}^{*}}},{where}}{{\overset{->}{f}\overset{U}{}_{q}^{r}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots \mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{\theta_{i}\overset{U}{}_{q}},{{\overset{->}{v}}_{i}:={\left( {v_{i}^{n - 1},\ldots \mspace{11mu},v_{i},1} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 4} \right\rbrack\end{matrix}$
 14. The cryptographic system according to claim 12,wherein the processing circuitry generates a ciphertext ct_(S) Includinga Transmission-Side vector c_(i) indicated in Formula 5, and decryptsthe ciphertext ct_(S) by using a decryption key sk_(Γ) including areception-side vector k*₁ indicated in Formula 6 $\begin{matrix}{{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{{{if}\mspace{14mu} {\rho (i)}} = v_{i}},{c_{i}:=\begin{pmatrix}\overset{\overset{n}{}}{{{s_{i}\; {\overset{->}{e}}_{1}} + {\theta_{i}{\overset{->}{v}}_{i}}},} & \ldots\end{pmatrix}_{_{1}}},{{{if}\mspace{14mu} {\rho (i)}} = {v_{i}}},{c_{i}:=\begin{pmatrix}\overset{\overset{n_{t}}{}}{{s_{i}\; {\overset{->}{v}}_{i}},} & \ldots\end{pmatrix}_{_{1}}}}{where}{{\overset{->}{f}\overset{U}{}_{q}^{r}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots \mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{\theta_{i}\overset{U}{}_{q}},{{\overset{->}{v}}_{i}:={\left( {v_{i}^{n - 1},\ldots \mspace{11mu},v_{i},1} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 5} \right\rbrack \\{{k_{1}^{*} = \begin{pmatrix}\overset{\overset{n}{}}{{\omega \; \overset{->}{y}},} & \ldots\end{pmatrix}_{_{1}^{*}}}{where}{{\omega \overset{U}{}_{q}}.}} & \left\lbrack {{Formula}\mspace{14mu} 6} \right\rbrack\end{matrix}$
 15. The cryptographic system according to claim 12,wherein the processing circuitry generates a ciphertext ct_(Γ) includinga transmission-side vector c_(1,t) indicated in Formula 7, and decryptsthe ciphertext ct_(Γ) by using a decryption key sk_(S) including areception-side vector k*_(i,t) indicated in Formula 8 $\begin{matrix}{{{c_{1,t} = \begin{pmatrix}\overset{\overset{n_{t}}{}}{{\omega \; {\overset{->}{y}}_{t}},} & \ldots\end{pmatrix}_{_{1,t}}}{where}\omega \overset{U}{}_{q}},{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots \mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}\left( {z - x_{j,t}} \right)}}}}} & \left\lbrack {{Formula}\mspace{14mu} 7} \right\rbrack \\{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,v_{i}} \right)},{k_{i}^{*}:=\begin{pmatrix}\overset{\overset{n_{t}}{}}{{{s_{i}\; {\overset{->}{e}}_{1,t}} + {\theta_{i}{\overset{->}{v}}_{i}}},} & \ldots\end{pmatrix}_{_{1,t}^{*}}},{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,v_{i}} \right)}},{k_{i}^{*}:={\begin{pmatrix}\overset{\overset{n_{t}}{}}{{s_{i}\; {\overset{->}{v}}_{i}},} & \ldots\end{pmatrix}_{_{1,t}^{*}}{where}{\overset{->}{f}\overset{U}{}_{q}^{r}}}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots \mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{\theta_{i}\overset{U}{}_{q}},{{\overset{->}{v}}_{i}:={\left( {v_{i}^{n_{t} - 1},\ldots \mspace{11mu},v_{i},1} \right).}}} & \left\lbrack {{Formula}\mspace{14mu} 8} \right\rbrack\end{matrix}$
 16. The cryptographic system according to claim 12,wherein the processing circuitry generates a ciphertext ct_(S) includinga transmission-side vector c_(i,t) indicated in Formula 9, and decryptsthe ciphertext ct_(S) by using a decryption key sk_(Γ) including areception-side vector k*_(1,t) indicated in Formula 10 $\begin{matrix}{\mspace{79mu} {{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = \left( {t,v_{i}} \right)},\mspace{20mu} {c_{i}:=\begin{pmatrix}\overset{\overset{n_{t}}{}}{{{s_{i}\; {\overset{->}{e}}_{1}} + {\theta_{i}{\overset{->}{v}}_{i}}},} & \ldots\end{pmatrix}_{_{1,t}}},\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,v_{i}} \right)}},\mspace{20mu} {c_{i}:=\begin{pmatrix}\overset{\overset{n_{t}}{}}{{s_{i}\; {\overset{->}{v}}_{i}},} & \ldots\end{pmatrix}_{_{1,t}}}}\mspace{20mu} {where}\mspace{20mu} {{\overset{->}{f}\overset{U}{}_{q}^{r}},\mspace{20mu} {{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots \mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},\mspace{20mu} {s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},\mspace{20mu} {\theta_{i,t}\overset{U}{}_{q}},\mspace{20mu} {{\overset{->}{v}}_{i}:={\left( {v_{i}^{n - 1},\ldots \mspace{11mu},v_{i},1} \right).}}}}} & \left\lbrack {{Formula}\mspace{14mu} 9} \right\rbrack \\{\mspace{79mu} {{k_{1,t}^{*} = \begin{pmatrix}\overset{\overset{n_{t}}{}}{{\omega \; \overset{->}{y_{t}}},} & \ldots\end{pmatrix}_{_{1,t}^{*}}}\mspace{20mu} {where}\mspace{20mu} {{\omega \overset{U}{}_{q}},{{\overset{->}{y}}_{t}:={{\left( {y_{1,t},\ldots \mspace{11mu},y_{n_{t},t}} \right)\mspace{14mu} {such}\mspace{14mu} {that}\mspace{14mu} {\sum_{j = 0}^{n_{t} - 1}{y_{{n_{t} - j},t}z^{j}}}} = {z^{n_{t} - 1 - n_{t}^{\prime}} \cdot {\prod_{j = 1}^{n_{t}^{\prime}}{\left( {z - x_{j,t}} \right).}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 10} \right\rbrack\end{matrix}$
 17. The cryptographic system according to claim 12,wherein the processing circuitry generates a signature Sig including atransmission-side vector s*_(i) indicated in Formula 11, and verifiesthe signature Sig by using a verification key vk including areception-side vector c_(i) indicated in Formula 12 $\begin{matrix}{{{s_{i}^{*}:={{{\gamma_{i} \cdot \xi}\; k_{1}^{*}} + {\sum_{t = 1}^{n}{u_{i,t} \cdot b_{1,t}^{*}}}}},{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L}{where}{{k_{1}^{*} = \begin{pmatrix}\overset{\overset{n}{}}{{\omega \; \overset{->}{y}},} & \ldots\end{pmatrix}_{_{1}^{*}}},{\xi \overset{U}{}_{q}},\gamma_{i},{{\overset{->}{u}}_{i}:={{{{\left( {u_{i,1},\ldots \mspace{11mu},u_{i,n}} \right)\mspace{14mu} {are}\mspace{14mu} {defined}\mspace{14mu} {as}{if}\mspace{14mu} i} \in I}{\rho (i)}} = {\overset{->}{v}}_{i}}},{\gamma_{i}:=\alpha_{i}},{{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0u_{i,1}} = \beta_{i}}} \right\}},{{{{{if}\mspace{14mu} i} \in I}{\rho (i)}} = {{\overset{->}{v}}_{i}}},{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot \overset{->}{y}}},{{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},{{{{{if}\mspace{14mu} i} \notin I}{\rho (i)}} = {\overset{->}{v}}_{i}},{\gamma_{i}:=0},{{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0u_{i,1}} = \beta_{i}}} \right\}},{{{{{if}\mspace{14mu} i} \notin I}{\rho (i)}} = {{\overset{->}{v}}_{i}}},{\gamma_{i}:=0},{{\overset{->}{u}}_{i}\overset{U}{}\left\{ {\left. {\overset{->}{u}}_{i} \middle| {{\overset{->}{u}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}}}} & \left\lbrack {{Formula}\mspace{14mu} 11} \right\rbrack \\{{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{11mu},L,{{{if}\mspace{14mu} {\rho (i)}} = v_{i}},{c_{i}:=\begin{pmatrix}\overset{\overset{n}{}}{{{s_{i}\; {\overset{->}{e}}_{1}} + {\theta_{i}{\overset{->}{v}}_{t}}},} & \ldots\end{pmatrix}_{_{1}}},{{{if}\mspace{14mu} {\rho (i)}} = {v_{i}}},{c_{i}:=\begin{pmatrix}\overset{\overset{n_{t}}{}}{{s_{i}\; {\overset{->}{v}}_{t}},} & \ldots\end{pmatrix}_{_{1}}}}{where}{{\overset{->}{f}\overset{U}{}_{q}^{r}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots \mspace{11mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{\theta_{i}\overset{U}{}_{q}},{{\overset{->}{v}}_{i}:={\left( {v_{i}^{n - 1},\ldots \mspace{11mu},v_{i},1} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 12} \right\rbrack\end{matrix}$
 18. A non-transitory computer readable medium storing acryptographic program for performing a cryptographic process using abasis B and a basis B*, the cryptographic program causing a computer toexecute: a transmission-side process of generating a transmission-sidevector being a vector in the basis B and being generated using onevector of a first vector consisting of coefficients y_(j) (j=1, . . . ,n) of a polynomial having attribute information x_(i)(i=1, . . . , n′,n′ being an integer from 1 to n−1, n being an integer of 2 or greater)as roots and a second vector consisting of v₁ ^(i) (i=0, . . . , n−1)being a power of predicate information v₁; and a reception-side processof performing a pairing operation on the transmission-side vector and areception-side vector being a vector in the basis B* and being generatedusing the other vector of the first vector and the second vector.